Description

Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively.

Differences in the strictness of the pattern matching mechanisms, for example with regards to space…

Description

When processing authorization requests using the whitelabel views, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Affected Spring Products and Versions

• 2.0.0 to 2.0.9
• 1.0.0 to 1.0.5

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 1.0.x should not use whitelabel views for approval and error pages
• Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later

Credit

This issue was found by David Vieira-Kurz (@secalert) and reported by Oliver Schoenherr on behalf of Immobilien Scout GmbH.

References

• https://github.com/spring-projects/spring-security-oauth/commit/fff77d3fea477b566bcacfbfc95f85821a2bdc2d
…

Description

The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.

Affected Spring Products and Versions

• 1.0.0 to 1.5.4

Mitigation

Users of affected versions should apply the following mitigation:

• The cited class (DefaultDeserializer) is not registered by any Spring application context automatically; users should take care when using this class with objects from untrusted sources in the same way they should when using ObjectInputStream directly.
• Spring AMQP has an (optional) message converter that can use this deserializer; starting with version 1.5.5, that converter can now be configured with a whitelist of acceptable packages/classes that can be deserialized.
• Spring AMQP also has a SimpleMessageConverter which *is* configured by default; it doesn't use the deserializer, but does use ObjectInputStream internally; it, too, can now be configured with a whitelist of packages/classes.
• It is recommended that users do not use Java serialization when using RabbitMQ in an environment where untrusted data might be received; if they do, they should configure the converter with the allowable objects.
• Users that might be exposed to this vulnerability should upgrade to Spring AMQP 1.5.5 or higher and configure the whitelist.

Credit

Vulnerability discovery by Matthias Kaiser of Code White (www.code-white.com)

References

• https://jira.spring.io/browse/AMQP-590
• https://github.com/spring-projects/spring-amqp/commit/4150f107e60cac4a7735fcf7cb4c1889a0cbab6c
…

Description

When authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery (CSRF) attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking the victim into visiting the callback request in their browser. As a consequence, the attacker will have access to the victim's account on the vulnerable site by way of the fake provider account.

Affected Spring Products and Versions

• Spring Social Core 1.0.0 to 1.0.3
• Spring Social Core 1.1.0 to 1.1.2

Mitigation

Users of affected Spring Social versions should upgrade as follows:

• For Spring Social 1.0.x upgrade to 1.1.3+
• For Spring Social 1.1.x upgrade to 1.1.3+

In the above mentioned versions, Spring Social requires the existence of a `state` parameter in the callback request. If it is not found, an IllegalStateException is thrown and the authorization flow is terminated.

Credit

The issue was first found by Kris Bosch from Include Security. Paul Ambrosini from sourceclear (https://srcclr.com) then identified the root cause, vulnerable library and vulnerable code.

…

Description

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

For details and concrete examples see the very helpful RFD paper from Trustwave.

Affected Spring Products and Versions

• Spring Framework 3.2.0 to 3.2.14
• Spring Framework 4.0.0 to 4.1.7
• Spring Framework 4.2.0 to 4.2.1
• Other unsupported versions are also affected

Mitigation

Users of affected Spring Framework versions should upgrade as follows:

• For 3.2.x upgrade to 3.2.15+.
• For 4.0.x and 4.1.x upgrade to 4.1.8+.
• For 4.2.x upgrade to 4.2.2+.

In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.

Simply upgrading to the above mentioned versions will protect applications against RFD attacks. Some further steps can be also be taken:

• Encode rather than escape JSON responses. This is also an OWASP XSS recommendation. For an example of how to do that with Spring see https://github.com/rwinch/spring-jackson-owasp.
• Configure suffix pattern matching to be turned off or restricted to explicitly registered suffixes only.
• Configure content negotiation with the properties “useJaf” and “ignoreUknownPathExtension” set to false which would result in a 406 response for URLs with unknown extensions. Note however that this may not be an option if URLs are naturally expected to have a dot towards the end.
• Add 'X-Content-Type-Options: nosniff' header to responses. Spring Security 4 does this by default.

Credit

RFD attacks were described by Trustwave in a paper. The issue in the Spring Framework was responsibly reported to Pivotal by Alvaro Muñoz from HPE Security Research. Special thanks to…

Description

XML external entities were previously disabled with the publication of http://pivotal.io/security/cve-2013-6429. If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

This is now done in the Spring Framework by default wherever the framework sets up XML parsing from external sources. Mainly this includes the Unmarshaller implementations in spring-oxm and the HttpMessageConverter implementations in spring-web.

Note that further actions may need to be taken by applications in particular where use of StAX is concerned. For example IBM JDK 1.6 and 1.7 require an environment variable in addition to setting supportDTD=false (see IBM JDK reference). Moreover we’ve found that supportDTD alone does not protect against all kinds of DoS attacks with JDK JAXP implementations. Hence we recommend using the Woodstox open source library for StAX parsing.

The following describes when StAX is used in the Spring Framework:

• SourceHttpMessageConverter -- enabled by default. The converter was added in 3.2 while StAX support was added in 4.0.1 and is used when converting to Spring MVC controller method argument of type javax.xml.transform.stax.StAXSource.
• Jaxb2CollectionHttpMessageConverter -- not enabled by default. This converter was added in 3.2.
• MappingJackson2XmlHttpMessageConverter -- enabled when “jackson-dataformat-xml” is present on the classpath. This converter was added in 4.1.

Affected Spring Products and Versions

• Spring Framework 3.2.0 to 3.2.13
• Spring Framework 4.0.0 to 4.1.6
• Other unsupported versions are also affected

Mitigation

Users of affected Spring Framework versions should upgrade as follows:

• For 3.2.x upgrade to <strong>3.2.14+</strong>
• For 4.0.x and 4.1.x upgrade to <strong>4.1.7+</strong>

In addition, applications that consume XML input via StAX from external sources should also use and/or upgrade to a recent version of the Woodstox library, e.g. version 4.2+ (4.2.1 is the currently curated version in the Spring IO Platform).

Notes on adding Woodstox:

StAX defines a standard mechanism for selecting which StAX implementation to use when more than one is available including system properties and service definitions under WEB-INF/services. Woodstox includes the necessary service definitions so that simply adding it to the classpath should work. However some application servers such as WebLogic already bundle (an older version) of Woodstox in which case you may need to configure the server to prefer the one chosen by the application, see this reference on prefer-application-packages.

Credit

This issue was identified responsibly and reported to Pivotal by Toshiaki Maki of NTT DATA Corporation who also helped to develop and test the solution.

References

• https://jira.spring.io/browse/SPR-13136
…

Description

Session id generation in the Java SockJS client is not sufficiently secure and could allow a user to send messages to another user’s session.

Note that this only affects users of the Java SockJS client, which generates its own session id. It does not affect browser clients even if they’re connecting to the same server.

Furthermore, since SockJS is a transport layer, when using a higher level messaging protocol on top such as STOMP over WebSocket with the spring-messaging module, application-level security may already be getting applied to STOMP messages and that can neutralize the impact of any potential attacks.

Affected Spring Products and Versions

• Spring Framework 4.1.0 to 4.1.4

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 4.1.x should upgrade to 4.1.5 or later

Credit

Philippe Arteau found and responsibly reported the problem to Pivotal.

References

• https://github.com/spring-projects/spring-framework/commit/dc5b5ca8ee09c890352f89b2dae58bc0132d6545
• https://github.com/spring-projects/spring-framework/commit/d63cfc8eebc396be009e733a81ebb4c984811f6e
…

Description

Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

Affected Spring Products and Versions

• Spring Framework 3.0.4 to 3.2.11
• Spring Framework 4.0.0 to 4.0.7
• Spring Framework 4.1.0 to 4.1.1
• Other unsupported versions may also be affected

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 3.2.x should upgrade to 3.2.12 or later
• Users of 4.0.x should upgrade to 4.0.8 or later
• Users of 4.1.x should upgrade to 4.1.2 or later

Credit

This issue was identified by Toshiaki Maki of NTT DATA Corporation and responsibly reported to Pivotal.

References

• https://jira.spring.io/browse/SPR-12354
• https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676
• https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755
• …

Description

Some URLs were not sanitized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running.

Affected Spring Products and Versions

• 4.0.0 to 4.0.4
• 3.2.0 to 3.2.8
• 3.1.1 is known to be affected
• Other unsupported versions may also be affected

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 3.x should upgrade to 3.2.9 or later
• Users of 4.x should upgrade to 4.0.5 or later

Credit

This issue was identified by Takeshi Terada of Mitsui Bussan Secure Directions, Inc. and reported to Pivotal via JPCERT/CC. Information that additional versions were affected was discovered…

Description

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request.

This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed.

If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

Affected Spring Products and Versions

• 3.1 to 3.2.4

Mitigation

Users of affected versions should apply the following mitigation:

• Users of 3.2x should upgrade to 3.2.5 or later
• Users of 3.1.x should upgrade to 3.1.7 or later

Credit

This issue was identified by David Ohsie and brought to our attention by the CAS Development team.

References

• http://spring.io/blog/2014/08/15/cve-2014-3527-fixed-in-spring-security-3-2-5-and-3-1-7
• https://jira.spring.io/browse/SEC-2688
…