Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

Haythem Elmir
0 1
Read Time1 Minute, 43 Second
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it.

Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications.

In an advisory released today by Pivotal, the company detailed following three vulnerabilities discovered in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions:

  • Critical: Remote Code Execution with spring-messaging (CVE-2018-1270)
  • High: Directory Traversal with Spring MVC on Windows (CVE-2018-1271)
  • Low: Multipart Content Pollution with Spring Framework (CVE-2018-1272)

Vulnerable Spring Framework versions expose STOMP clients over WebSocket endpoints with an in-memory STOMP broker through the ‘spring-messaging’ module, which could allow an attacker to send a maliciously crafted message to the broker, leading to a remote code execution attack (CVE-2018-1270).

« The use of authentication and authorization of messages, such as the one provided by Spring Security, can limit exposure to this vulnerability only to users who are allowed to use the application, » the company suggests.

The second bug (CVE-2018-1271) resides in Spring’s Web model-view-controller (MVC) that allows attackers to execute directory traversal attack and access restricted directories when configured to serve static resources (e.g., CSS, JS, images) from a file system on Windows.

This vulnerability doesn’t work if you are not using Windows to serve content and can be avoided if you don’t serve files from the file system or use Tomcat/WildFly as the server.

Pivotal has released Spring Framework 5.0.5 and 4.3.15, which include fixes for all the three vulnerabilities. The company has also released Spring Boot 2.0.1 and 1.5.11, that match the patched Spring Framework versions.

So developers and administrators are highly recommended to upgrade their software to the latest versions immediately.

To read the original article:
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

FBI: IRANIAN FIRM STOLE DATA IN MASSIVE SPEAR PHISHING CAMPAIGN

The United States Department of Justice announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies. FBI Deputy Director David Bowdich said in a statement that the state-sponsored hackers worked for more than four years to steal expensive science and engineering-related research, company […]