Security Alert

Several Spring vulnerabilities

Original date: 10.05.2018 – UPDATE 14.05.2018: unzip vulnerability also affects spring-integration-zip 1.0.1
Overall risk classification: HIGH

Overview

Pivotal has published several severe vulnerabilities related to Spring components. Your project may be affected if one of the following components is used: Spring Messaging, Spring Security, Spring Data Commons in combination with XMLBeam, Spring Security OAuth2, Spring Integration Zip or Apps Manager.

CVE-2018-1257

When using Spring prior to 5.0.6 or prior to 4.3.17, an attacker may be able to stage denial of service attacks by exploiting the spring-messaging module [6].

Systems Affected

  • Spring Framework 5.0 to 5.0.5 [6]
  • Spring Framework 4.3 to 4.3.16 [6]

CVE-2018-1258

When using Spring Security in combination with Spring Framework 5.0.5.RELEASE and method security, your system may be vulnerable to authorization bypasses. An unauthorized attacker can potentially get unauthorized access to methods which should be restricted [5].

Systems Affected

  • Spring Framework 5.0.5 in combination with any version of Spring Security [5]

CVE-2018-1259

When using Spring Data Commons prior to 1.13.11 or 2.0.6 in combination with XMLBeam 1.4.14 or earlier, your system may be vulnerable to XML external entity injection attacks. An unauthenticated remote attacker may be able to access arbitrary files on the system [4].

Systems Affected

  • Spring Data Commons 1.13 to 1.13.11 (Ingalls SR11) [4]
  • Spring Data REST 2.6 to 2.6.11 (Ingalls SR11) [4]
  • Spring Data Commons 2.0 to 2.0.6 (Kay SR6) [4]
  • Spring Data REST 3.0 to 3.0.6 (Kay SR6) [4]

CVE-2018-1260

When using Spring Security OAuth, your system may be vulnerable to remote code execution if the application acts in the role of an authorization server (e.g. @EnableAuthorizationServer) and uses the default approval endpoint [3].

Systems Affected

  • Spring Security OAuth 2.3 to 2.3.2 [3]
  • Spring Security OAuth 2.2 to 2.2.1 [3]
  • Spring Security OAuth 2.1 to 2.1.1 [3]
  • Spring Security OAuth 2.0 to 2.0.14 [3]

CVE-2018-1261 / CVE-2018-1263

If your application uses spring-integration-zip and unpacks zip files from untrusted sources, an attacker may be able to write files to arbitrary locations on the server [2, 7].

Systems Affected

  • Spring Integration Zip Community Extension Project prior to version 1.0.2.RELEASE [7].

CVE-2018-1278

If your project uses the Apps Manager, which is included in the Pivotal Application Service, an attacker may be able to exploit an authorization enforcement vulnerability. Thus, he may gain unauthorized access to a lot of sensitive information [1].
Systems Affected

  • Pivotal Application Service 2.1 to 2.1.3 [2]
  • Pivotal Application Service 2.0 to 2.0.12 [2]
  • Pivotal Application Service 1.12 to 1.12.21 [2]

Threat

Risk: HIGH
Exploitability: MEDIUM to HIGH
Priority (for affected, internet-exposed systems): MEDIUM
Priority (for internal systems): LOW

Mitigation

If your project uses vulnerable versions of Spring, update these dependencies to the latest versions: Spring Framework 5.0.6 or 4.3.17 [6, 5], Spring Data REST 2.6.12 (Ingalls SR12) or 3.0.7 (Kay SR7) [4], Spring Security OAuth 2.3.3 or 2.2.2 or 2.1.2 or 2.0.15 [3], Spring Integration Zip Community Extension Project 1.0.2 [7], Pivotal Application Service 2.1.4, 2.0.13, 1.12.22 [1].

Author

Björn Kirschner

References

[1] https://pivotal.io//security/cve-2018-1278
[2] https://pivotal.io//security/cve-2018-1261
[3] https://pivotal.io//security/cve-2018-1260
[4] https://pivotal.io//security/cve-2018-1259
[5] https://pivotal.io/security/cve-2018-1258
[6] https://pivotal.io/security/cve-2018-1257
[7] https://pivotal.io//security/cve-2018-1263

If you need help assessing the risk of your project, do not hesitate to contact us!