Spring Security Advisories

RSS feed

This page lists Spring advisories.

CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView

MEDIUM | JUNE 14, 2018 | CVE-2018-11040

Description

Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot. However when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Allowing cross-domain requests from untrusted origins may expose user information to 3rd party browser scripts.

This vulnerability applies to applications that:

  • Explicitly configure MappingJackson2JsonView.
  • And do not set the jsonpParameterNames property of MappingJackson2JsonView to an empty set.
  • And expose sensitive user information over endpoints that can render content with JSONP.

Affected Spring Products and Versions

  • Spring Framework 5.0 to 5.0.6
  • Spring Framework 4.1 to 4.3.17

Mitigation

Users of affected versions should apply the following mitigation:

  • 5.0.x users should upgrade to 5.0.7.
  • 4.3.x users should upgrade to 4.3.18.
  • Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonView’s jsonpParameterNames property to an empty set.

Applications that do require JSONP support will need to explicitly configure the jsonpParameterNames property of MappingJacksonJsonView following the upgrade. It is recommended that applications switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1.

Credit

This issue was identified and reported by Meyyalagan Chandrasekaran.

References

CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

MEDIUM | JUNE 14, 2018 | CVE-2018-11039

Description

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Affected Spring Products and Versions

  • Spring Framework 5.0 to 5.0.6
  • Spring Framework 4.3 to 4.3.17
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 5.0.x users should upgrade to 5.0.7
  • 4.3.x users should upgrade to 4.3.18
  • Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

This attack applies to applications that:

  • Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot)
  • Allow HTTP TRACE requests to be handled by the application server

This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.

Credit

This issue was identified and reported by Mariusz Łuciów, Ocado Technology.

History

2018-06-14: Initial vulnerability report published.

CVE-2018-1263: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 11, 2018 | CVE-2018-1263

Description

spring-integration-zip , versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. The previous CVE-2018-1261 prevented the framework itself from writing the file. While the framework itself now does not write such files, it does present the errant path to the user application, which could inadvertently write the file using that path.

This specifically applies to the unzip transformer.

This can only happen if an application using this library accepts and unpacks zip files from untrusted sources.

Affected Spring Products and Versions

  • Spring Integration Zip Community Extension Project versions 1.0.1.RELEASE and earlier.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to the 1.0.2.RELEASE

Or do not unzip untrusted zip files.

Credit

This issue was identified and responsibly reported by the Snyk Security Research Team and Abago Forgans.

History

2018-05-11: Initial vulnerability report published

CVE-2018-1257: ReDoS Attack with spring-messaging

HIGH | MAY 09, 2018 | CVE-2018-1257

Description

Spring Framework, versions 5.0.x prior to 5.0.6 and versions 4.3.x prior to 4.3.17, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

This vulnerability exposes applications that meet all of the following requirements:

  • Depend on spring-messaging and spring-websocket modules.
  • Register STOMP over WebSocket endpoints.
  • Enable the simple STOMP broker.

Affected Spring Products and Versions

  • Spring Framework 5.0 to 5.0.5
  • Spring Framework 4.3 to 4.3.16
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 5.0.x users should upgrade to 5.0.6.
  • 4.3.x users should upgrade to 4.3.17.
  • Older versions should upgrade to a supported branch.

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for messages, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd.

References

CVE-2018-1258: Unauthorized Access with Spring Security Method Security

CRITICAL | MAY 09, 2018 | CVE-2018-1258

Description

Spring Security in combination with Spring Framework 5.0.5.RELEASE contain an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

Affected Spring Products and Versions

  • Spring Framework 5.0.5.RELEASE and Spring Security (any version)
  • Applications are only impacted if they use Spring Framework 5.0.5.RELEASE and Spring Security method security. The bug is present in Spring Framework 5.0.5.RELEASE, but is not considered a CVE unless combined with Spring Security’s method security support.
  • The bug is present only in Spring Framework 5.0.5.RELEASE. If the application does not use Spring Framework 5.0.5.RELEASE then it is not impacted. The bug does not impact any Spring Framework 4.x versions or any other versions of Spring Framework.

Mitigation

  • Users leveraging Spring Framework 5.x should avoid using Spring Framework 5.0.5.RELEASE. Updating to Spring Security 5.0.5.RELEASE+ or Spring Boot 2.0.2.RELEASE+ brings in Spring Framework 5.0.6.RELEASE+ transitively. However, users should be certain that other dependency management mechanisms are also updated to use Spring Framework 5.0.6.RELEASE or newer.
  • Users leveraging Spring Framework 4.x (Spring Security 4.x or Spring Boot 1.x) are not impacted so no steps are necessary.
  • There are no other mitigation steps required.

Credit

This issue was identified internally by the Spring Security Team.

History

2018-05-09: Initial vulnerability report published

  • 2018-07-30: Clarifications on impacted versions

CVE-2018-1259: XXE with Spring Data’s XMLBeam integration

HIGH | MAY 09, 2018 | CVE-2018-1259

Description

Spring Data Commons, versions prior to 1.13 to 1.13.11 and 2.0 to 2.0.6 used in combination with XMLBeam 1.4.14 or earlier versions contain a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data’s projection-based request payload binding to access arbitrary files on the system.

Affected Spring Products and Versions

  • Spring Data Commons 1.13 to 1.13.11 (Ingalls SR11)
  • Spring Data REST 2.6 to 2.6.11 (Ingalls SR11)
  • Spring Data Commons 2.0 to 2.0.6 (Kay SR6)
  • Spring Data REST 3.0 to 3.0.6 (Kay SR6)

Mitigation

Users of affected versions should apply the following mitigation:

  • 1.13.x users should upgrade to 1.13.12 (Ingalls SR12)
  • 2.0.x users should upgrade to 2.0.7 (Kay SR7)
  • Alternatively, upgrade to XMLBeam 1.4.15

Releases that have fixed this issue include:

  • Spring Data REST 2.6.12 (Ingalls SR12)
  • Spring Data REST 3.0.7 (Kay SR7)

There are no other mitigation steps necessary.

Note that the vulnerability is only exploitable when using XMLBeam. The use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Abago Forgans.

References

CVE-2018-1261: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 09, 2018 | CVE-2018-1261

Description

spring-integration-zip , versions prior to 1.0.1, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

This specifically applies to the unzip transformer.

This can only happen if an application using this library accepts and unpacks zip files from untrusted sources.

Affected Spring Products and Versions

  • Spring Integration Zip Community Extension Project version 1.0.0.RELEASE

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to the 1.0.1.RELEASE

Or do not unzip untrusted zip files.

Credit

This issue was identified and responsibly reported by the Snyk Security Research Team.

History

2018-05-09: Initial vulnerability report published

CVE-2018-1260: Remote Code Execution with spring-security-oauth2

CRITICAL | MAY 09, 2018 | CVE-2018-1260

Description

Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

This vulnerability exposes applications that meet all of the following requirements:

  • Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
  • Use the default Approval Endpoint

This vulnerability does not expose applications that:

  • Act in the role of an Authorization Server but override the default Approval Endpoint
  • Act in the role of a Resource Server only (e.g. @EnableResourceServer)
  • Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected Spring Products and Versions

  • Spring Security OAuth 2.3 to 2.3.2
  • Spring Security OAuth 2.2 to 2.2.1
  • Spring Security OAuth 2.1 to 2.1.1
  • Spring Security OAuth 2.0 to 2.0.14
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 2.3.x users should upgrade to 2.3.3
  • 2.2.x users should upgrade to 2.2.2
  • 2.1.x users should upgrade to 2.1.2
  • 2.0.x users should upgrade to 2.0.15
  • Older versions should upgrade to a supported branch

There are no other mitigation steps required.

Credit

This issue was identified and responsibly reported by Philippe Arteau from GoSecure.

References

CVE-2018-1256: Issuer validation regression in Spring Cloud SSO Connector

HIGH | APRIL 30, 2018 | CVE-2018-1256

Description

Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of the SSO Connector with tokens generated from another service plan.

Affected Spring Products and Versions

  • Spring Cloud SSO Connector version 2.1.2

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:</p><ul><li>Spring Cloud SSO Connector: 2.1.3</li></ul>
  • Alternatively, you can perform <u>one</u> of the following workarounds:</p><ul><li>Bind your resource server to the SSO service plan via a service instance binding</li><li>Set “sso.connector.cloud.available=true” within your Spring application properties</li></ul>

Credit

This vulnerability was responsibly reported by the Pivotal SSO Service team.

History

2018-04-30: Initial vulnerability report published

CVE-2018-1273: RCE with Spring Data Commons

CRITICAL | APRIL 10, 2018 | CVE-2018-1273

Description

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding hat can lead to a remote code execution attack.

Affected Spring Products and Versions

  • Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
  • Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
  • Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
  • Spring Data REST 3.0 to 3.0.5 (Kay SR5)
  • Older unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation:

  • 2.0.x users should upgrade to 2.0.6
  • 1.13.x users should upgrade to 1.13.11
  • Older versions should upgrade to a supported branch

Releases that have fixed this issue include:

  • Spring Data REST 2.6.11 (Ingalls SR11)
  • Spring Data REST 3.0.6 (Kay SR6)

There are no other mitigation steps necessary.

Note that the use of authentication and authorization for endpoints, both of which are provided by Spring Security, limits exposure to this vulnerability to authorized users.

Credit

This issue was identified and responsibly reported by Philippe Arteau, GoSecure Inc.

References

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all