Spring Batch Admin does not contain Cross Site Request Forgery (CSRF) protection, which may allow an attacker to craft a malicious site that executes requests to Spring Batch Admin.
Affected Spring Products and Versions
Spring Batch Admin all versions
Mitigation
Users of affected versions should apply the following mitigation:
Spring Batch Admin has reached end of life as of January 1, 2018. Spring Cloud Data Flow is the recommended replacement for managing and monitoring Spring Batch jobs going forward.
Credit
This vulnerability was responsibly reported by Wen Bin Kong.
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.
In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.
Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Affected Spring Products and Versions
Spring Security
4.1.0 - 4.1.4
4.2.0 - 4.2.3
5.0.0
Spring Framework
5.0.0 - 5.0.2
4.3.0 - 4.3.13
Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted
Mitigation
Users of affected versions should apply the following mitigation:
Spring Security<ul><li>5.0.x users should update to 5.0.1</li><li>4.2.x users should update to 4.2.4</li><li>4.1.x users should update to 4.1.5</li></ul>
Spring Framework<ul><li>5.0.x users should update to 5.0.3</li><li>4.3.x users should update to 4.3.14</li></ul>
As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.
Credit
The issue was identified by Macchinetta Framework Development Team from NTT Comware, NTT DATA Corporation, and NTT, and responsibly reported to Pivotal.
When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Affected Spring Products and Versions
Spring-LDAP versions 1.3.0 - 2.3.1
Mitigation
Users of affected versions should apply the following mitigation:
Upgrade to Spring-LDAP version 2.3.2.RELEASE+
Credit
This vulnerability was responsibly reported by Tobias Schneider.
Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
Affected Spring Products and Versions
Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)
Spring Boot (if Spring Data REST module is used) versions prior to 1.5.9, 2.0 M6
Mitigation
Users of affected versions should apply the following mitigation:
Releases that have fixed this issue include:<ul><li>Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)</li><li>Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)</li><li>Spring Boot 1.5.9 (Oct, 28th 2017)</li><li>Spring Boot 2.0 M6 (Nov. 6th 2017)</li></ul>
Credit
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Affected Spring Products and Versions
Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Mitigation
Users of affected versions should apply the following mitigation:
Releases that have fixed this issue include:<ul><li>Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7</li></ul>
Credit
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
This CVE addresses a second path to exploiting the same vulnerability as the one described under CVE-2017-4971.
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to “false”) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Affected Spring Products and Versions
Spring Web Flow 2.4.0 to 2.4.5
Older unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigation:
2.4.x users should upgrade to 2.4.6
Note that generally it is a good practice and recommended to always use explicit data binding declarations in view states in order to prevent form submissions from setting fields on the target object that should not be set.
Users of Spring Web Flow with JSF are not impacted by this report.
Credit
The issue was identified by security researcher he1renyagao.
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets".
Spring Security configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true:
Spring Security’s Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper)
Jackson is used to deserialize data that is not trusted. Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user.
There is an unknown (Jackson is not blacklisting it already) “deserialization gadget” that allows code execution present on the classpath
Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown “deserialization gadgets” when Spring Security enables default typing.
Affected Spring Products and Versions
Spring Security 4.2.0.RELEASE - 4.2.2.RELEASE
Spring Security 5.0.0.M1
Mitigation
Users of affected versions should apply the following mitigation:
Releases that have fixed this issue include: <ul><li>Spring Security: 4.2.3.RELEASE+</li><li>Spring Security: 5.0.0.M2+</li></ul>
The fix ensures that by default only explicitly mapped classes will be deserialized. The effect of using explicitly mapped classes is to create a whitelist which works with all supported versions of Jackson. If users explicitly opt into <a href='https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing'>global default typing</a>, the previous potentially dangerous configuration is restored.
Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e. set to “false”) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.
Affected Spring Products and Versions
Spring Web Flow 2.4.0 to 2.4.4
Older unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigation:
2.4.x users should upgrade to 2.4.5
Note that generally it is a good practice and recommended to always use explicit data binding declarations in view states in order to prevent form submissions from setting fields on the target object that should not be set.
Spring Web Flow with JSF users are not impacted by this report.
Credit
The issue was identified by Stefano Ciccone of Gotham Digital Science
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1].
Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.
Users of IBM WebSphere Application Server 8.5.x are known to be affected.
Users of other containers that implement the Servlet specification may be affected.
Adopting one of the following mitigations will protect against this vulnerability.
Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()
Upgrading to Spring Security 3.2.10, 4.1.4 or 4.2.1 will reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. Note: If you wish to disable this feature it can be disabled by setting the DefaultHttpFirewall.allowUrlEncodedSlash = true. However, disabling this feature will mean applications are vulnerable (in containers that return path parameters in getServletPath() or getPathInfo()).
Credit
The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal.
