Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2017-8045: Remote code execution in spring-amqp
Description
In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Affected Spring Products and Versions
- Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7
Credit
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
References
- https://jira.spring.io/browse/AMQP-766
- https://docs.spring.io/spring-amqp/docs/1.6.11.RELEASE/reference/html/_reference.html#_message
History
2017-09-19: Initial vulnerability report published
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all