Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
• Spring Data REST 3.0 to 3.0.5 (Kay SR5)
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.0.x users should upgrade to 2.0.6
• 1.13.x users should upgrade to 1.13.11
• Older versions should upgrade to a supported branch

Releases that have fixed this issue include:

• Spring Data REST 2.6.11 (Ingalls SR11)
• Spring Data REST 3.0.6 (Kay SR6)

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Philippe Arteau, GoSecure Inc.

References

• https://jira.spring.io/browse/DATACMNS-1282
• https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
• https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
• …

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Affected Spring Products and Versions

• Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
• Spring Data REST 3.0 to 3.0.5 (Kay SR5)
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 2.0.x users should upgrade to 2.0.6
• 1.13.x users should upgrade to 1.13.11
• Older versions should upgrade to a supported branch

Releases that have fixed this issue include:

• Spring Data REST 2.6.11 (Ingalls SR11)
• Spring Data REST 3.0.6 (Kay SR6)

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect.

References

• https://jira.spring.io/browse/DATACMNS-1285
• https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fbad
• https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee0
…

Description

This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, as well as older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.15
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.16
• Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This original issue CVE-2018-1270 was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify. The subsequent CVE-2018-1275 partial fix was identified and…

Description

Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.15
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.16
• Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify.

References

• Example <a href='https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable'&gt;STOMP over WebSocket config</a> where simple broker is enabled.
• <a href='https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/htmlsingle/#websocket'&gt;Spring…

Description

Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.14
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.15
• Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Note also that this attack does not apply to applications that:

• Do not use Windows.
• Do not serve files from the file system, i.e. not using “file:” for the resource location.
• Use Spring Security with versions patched for CVE-2018-1199.

Credit

This issue was identified and responsibly reported by Orange Tsai (@orange_8361) from DEVCORE.

References

• Example <a href='https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-config-static-resources'&gt;Spring MVC config</a> that enables the serving of static resources.
…

Description

Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

In order for the attacker to succeed, they would have to be able to guess the multipart boundary value chosen by server A for the multipart request to server B, which requires the attacker to also have control of the server or the ability to see the HTTP log of server A through a separate attack vector.

Affected Spring Products and Versions

• Spring Framework 5.0 to 5.0.4
• Spring Framework 4.3 to 4.3.14
• Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

• 5.0.x users should upgrade to 5.0.5
• 4.3.x users should upgrade to 4.3.15

There are no other mitigation steps necessary.

Credit

This issue was identified and responsibly reported by Philippe Arteau from GoSecure.

History

2018-04-05: Initial vulnerability report published

Description

Cross-site scripting (XSS) vulnerability in the file upload feature of Spring Batch Admin allows a remote attacker to inject arbitrary web script or HTML via a crafted request related to the file upload functionality.

Affected Spring Products and Versions

• Spring Batch Admin all versions

Mitigation

Users of affected versions should apply the following mitigation:

• Spring Batch Admin has reached end of life as of January 1, 2018. Spring Cloud Data Flow is the recommended replacement for managing and monitoring Spring Batch jobs going forward.

Credit

This vulnerability was responsibly reported by Wen Bin Kong.

References

• https://docs.spring.io/spring-batch-admin
• https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md
…

Description

Spring Batch Admin does not contain Cross Site Request Forgery (CSRF) protection, which may allow an attacker to craft a malicious site that executes requests to Spring Batch Admin.

Affected Spring Products and Versions

• Spring Batch Admin all versions

Mitigation

Users of affected versions should apply the following mitigation:

• Spring Batch Admin has reached end of life as of January 1, 2018. Spring Cloud Data Flow is the recommended replacement for managing and monitoring Spring Batch jobs going forward.

Credit

This vulnerability was responsibly reported by Wen Bin Kong.

References

• https://docs.spring.io/spring-batch-admin
• https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md
…

Description

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service

Affected Spring Products and Versions

• Spring Boot
  • 1.5.0 - 1.5.9
  • 2.0.0.M1 - 2.0.0.M7
• Older unmaintained versions of Spring Boot were not analyzed and may be impacted.

Mitigation

Users of affected versions should apply the following mitigation:

• 1.5.x users should update to 1.5.10
• 2.0.x pre-release users should update to 2.0.0.RC1

Credit

This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.

History

2018-01-30: Initial vulnerability report published

Description

Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Affected Spring Products and Versions

• Spring Security
  • 4.1.0 - 4.1.4
  • 4.2.0 - 4.2.3
  • 5.0.0
• Spring Framework
  • 5.0.0 - 5.0.2
  • 4.3.0 - 4.3.13
• Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted

Mitigation

Users of affected versions should apply the following mitigation:

• Spring Security<ul><li>5.0.x users should update to 5.0.1</li><li>4.2.x users should update to 4.2.4</li><li>4.1.x users should update to 4.1.5</li></ul>
• Spring Framework<ul><li>5.0.x users should update to 5.0.3</li><li>4.3.x users should update to 4.3.14</li></ul>

As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.

Credit

The issue was identified by Macchinetta Framework Development Team from NTT Comware, NTT DATA Corporation, and NTT, and responsibly reported to Pivotal.

History

2018-01-29: Initial…