Security Alert
Several Spring Vulnerabilities
Original date: 18.01.2019 (UPDATE)
Overall risk classification: HIGH
Overview
Pivotal has published several severe vulnerabilities related to Spring components. Your project may be affected if one of the following components is used: Spring Integration, Spring Web Services, Spring Batch.
Systems Affected
- Spring Integration versions 5.1.1, 5.0.10, 4.3.18 and older (CVE-2019-3772) [1]
- Spring Web Services versions 2.4.3, 3.0.4 and older (CVE-2019-3773) [2]
- Spring Batch versions 3.0.9, 4.0.1, 4.1.0 and older (CVE-2019-3774) [3]
Threat
Risk: HIGH
All three components are susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Exploitability: HIGH
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): MEDIUM
Mitigation
If your project uses vulnerable versions of Spring, update these dependencies to the latest versions:
spring-integration-ws, spring-integration-xml to 4.3.19, 5.0.11, 5.1.2 or later
spring-ws, spring-xml jars to 2.4.4, 3.0.6 or later
spring-batch jars to 3.0.10, 4.0.2, 4.1.1 or later
The components that exhibited this vulnerability now disable the features by default, but allow user configuration of the components if the feature can be enabled because XML is received from a trusted source.
Author
Martin Schöne
References
[1] https://pivotal.io/security/cve-2019-3772
[2] https://pivotal.io/security/cve-2019-3773
[3] https://pivotal.io/security/cve-2019-3774
