CVE-2017-4971: Spring Web Flow remote code execution vulnerability

Spring Web Flow builds on Spring MVC and allows implementing the “flows” of a web application. A flow encapsulates a sequence of steps that guide a user through the execution of some business task. It spans multiple HTTP requests, has state, deals with transactional data, is reusable, and may be dynamic and long-running in nature..

The sweet spot for Spring Web Flow are stateful web applications with controlled navigation such as checking in for a flight, applying for a loan, shopping cart checkout, or even adding a confirmation step to a form. What these scenarios have in common is one or more of the following traits:

• There is a clear start and an end point.
• The user must go through a set of screens in a specific order.
• The changes are not finalized until the last step.
• Once complete it shouldn’t be possible to repeat a transaction accidentally

Recently, Spring Web Flow released an update patch to fix a vulnerability that Spring Web Flow exists on data bindings (CVE-2017-4971). The vulnerability stems from the fact that the model’s data binding does not specify the specific properties of the relevant model, resulting in malicious expressions that can be submitted through the form and executed, resulting in remote code execution.

In the affected version, the vulnerability could be circumvented by changing the default configuration and improving the coding specification, and Spring Web Flow official has also released a patch to fix the vulnerability.

Affected Version

• Spring Web Flow 2.4.0 – 2.4.4

How to fix

The official has released a new version, please affected 2.4.X users updated in time to upgrade to the latest 2.4.5 version to protect the vulnerability. The official also suggested that the user should change the default settings for data binding to ensure that the submitted form information meets the requirements to avoid similar malicious behavior.

Reference:

https://pivotal.io/security/cve-2017-4971