CVE-2018-1273: Spring Data Commons Remote Code Execution Vulnerability

Pivotal Spring official release security announcement, there is a remote code execution vulnerability (CVE-2018-1273) in Spring Data Commons components, the attacker can construct SPEL expressions containing malicious code to achieve remote code attacks, direct access to server control permissions.

Spring Data is an open source framework for simplifying database access and supporting cloud services, including Commons, Gemfire, JPA, JDBC, MongoDB, and other modules. This vulnerability is caused by the Spring Data Commons component, which provides a shared basic framework that is suitable for use by various subprojects and supports cross-database persistence. Please be affected by this vulnerability to upgrade components as soon as possible.

Affected version

• Spring Data Commons 1.13 – 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 – 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 – 2.0.5 (Kay SR5)
• Spring Data REST 3.0 – 3.0.5 (Kay SR5)
• Old versions that are not officially supported by the government

Unaffected version

• Spring Data Commons ≥ 2.0.6
• Spring Data Commons ≥ 1.13.11
• Spring Data REST 2.6.11 (Ingalls SR11)
• Spring Data REST 3.0.6 (Kay SR6)
• Spring Boot 1.5.11
• Spring Boot 2.0.1

The vulnerability arises from the Spring Data Commons component. For applications that use the Spring Framework, check to see if the component version in the application is in scope. Use a text editor to open pom.xml and find the section shown in the red box below to view the current version information.

If the current version is in the affected area, there is a risk of vulnerabilities and the affected users should be reinforced in time.

Solution

This vulnerability has been fixed in the latest version. Please update the affected users as soon as possible to ensure long-term effective protection. Download link please refer to the following table: