Description

The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.

Affected Spring Products and Versions

• 1.0.0 to 1.5.4

Mitigation

Users of affected versions should apply the following mitigation:

• The cited class (DefaultDeserializer) is not registered by any Spring application context automatically; users should take care when using this class with objects from untrusted sources in the same way they should when using ObjectInputStream directly.
• Spring AMQP has an (optional) message converter that can use this deserializer; starting with version 1.5.5, that converter can now be configured with a whitelist of acceptable packages/classes that can be deserialized.
• Spring AMQP also has a SimpleMessageConverter which *is* configured by default; it doesn't use the deserializer, but does use ObjectInputStream internally; it, too, can now be configured with a whitelist of packages/classes.
• It is recommended that users do not use Java serialization when using RabbitMQ in an environment where untrusted data might be received; if they do, they should configure the converter with the allowable objects.
• Users that might be exposed to this vulnerability should upgrade to Spring AMQP 1.5.5 or higher and configure the whitelist.

Credit

Vulnerability discovery by Matthias Kaiser of Code White (www.code-white.com)

References

• https://jira.spring.io/browse/AMQP-590
• https://github.com/spring-projects/spring-amqp/commit/4150f107e60cac4a7735fcf7cb4c1889a0cbab6c

History

2016-Apr-11: Initial vulnerability report published.