Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications.
- Critical: Remote Code Execution with spring-messaging (CVE-2018-1270)
- High: Directory Traversal with Spring MVC on Windows (CVE-2018-1271)
- Low: Multipart Content Pollution with Spring Framework (CVE-2018-1272)
Vulnerable Spring Framework versions expose STOMP clients over WebSocket endpoints with an in-memory STOMP broker through the ‘spring-messaging’ module, which could allow an attacker to send a maliciously crafted message to the broker, leading to a remote code execution attack (CVE-2018-1270).
“The use of authentication and authorization of messages, such as the one provided by Spring Security, can limit exposure to this vulnerability only to users who are allowed to use the application,” the company suggests.
This vulnerability doesn’t work if you are not using Windows to serve content and can be avoided if you don’t serve files from the file system or use Tomcat/WildFly as the server.
Pivotal has released Spring Framework 5.0.5 and 4.3.15, which include fixes for all the three vulnerabilities. The company has also released Spring Boot 2.0.1 and 1.5.11, that match the patched Spring Framework versions.
So developers and administrators are highly recommended to upgrade their software to the latest versions immediately.