Muti vulnerabilities (Remote Code Execution) exist on Spring

On May 9, Spring released several security announcements that fixed several security vulnerabilities, including a high-risk remote code execution vulnerability.

CVE-2018-1257 (High)

Some versions of the Spring Framework allow applications to expose STOMPs on WebSocket endpoints using the Spring message module through a simple memory STOMP proxy. An attacker can send a specially crafted message to the broker, resulting in a denial of service attack.

All the following conditions are met before it is affected by the vulnerability:

• Depends on the spring-messaging and spring-websocket modules.
• Register STOMP through a WebSocket endpoint.
• Enable simple STOMP proxy.

Affected versions:

• Spring Framework 5.0 to 5.0.5
• Spring Framework 4.3 to 4.3.16
• And older versions that are no longer supported

Solution:

Upgrade to the following security version:

• 0.x users should upgrade to 5.0.6.
• 3.x users should upgrade to 4.3.17.
• Versions that are no longer supported should be upgraded to their respective security versions

Reference link: https://pivotal.io/security/cve-2018-1257

CVE-2018-1258 (Critical)

When Spring Security is used with the Spring Framework 5.0.5.RELEASE, there is a security authentication bypass in method security. Unauthorized malicious users may have access to protected methods.

Affected versions:

• Spring Framework 5.0.5.RELEASE + Spring Security (any version)

Solution:

Users should ensure that they are using Spring Framework 5.0.6 or higher.

Reference link: https://pivotal.io/security/cve-2018-1258

CVE-2018-1259 (High)

There are XML external entity reference vulnerabilities in some versions of Spring Data Commons. Unreliable remote malicious users can target projection-based requests for Spring Data and attach malicious request parameters to access arbitrary files on the system. The vulnerability only affects users who use XMLBeam and using the endpoint authentication and authorization provided by Spring Security can effectively limit the vulnerability.

Affected versions:

• Spring Data Commons 1.13 to 1.13.11 (Ingalls SR11)
• Spring Data REST 2.6 to 2.6.11 (Ingalls SR11)
• Spring Data Commons 2.0 to 2.0.6 (Kay SR6)
• Spring Data REST 3.0 to 3.0.6 (Kay SR6)

Solution:

Upgrade to the following security version:

• 13.x users should upgrade to 1.13.12 (Ingalls SR12)
• 0.x users should upgrade to 2.0.7 (Kay SR7)
• Or, upgrade to XMLBeam 1.4.15
• Spring Data REST 2.6.12 (Ingalls SR12)
• Spring Data REST 3.0.7 (Kay SR7)

Reference link: https://pivotal.io/security/cve-2018-1259

CVE-2018-1260 (Critical)

Some versions of Spring Security OAuth contain a remote code execution vulnerability. When the resource owner is forwarded to the authentication endpoint, the attacker can issue a specially crafted authorization request to the authorization endpoint, resulting in remote code execution.

This vulnerability affects applications that meet all of the following requirements:

• Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
• Use the default Approval Endpoint

This vulnerability does not affect the following applications:

• Act in the role of an Authorization Server but override the default Approval Endpoint
• Act in the role of a Resource Server only (e.g. @EnableResourceServer)
• Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected versions:

• Spring Security OAuth 2.3 to 2.3.2
• Spring Security OAuth 2.2 to 2.2.1
• Spring Security OAuth 2.1 to 2.1.1
• Spring Security OAuth 2.0 to 2.0.14
• And older versions that are no longer supported

Solution:

Upgrade to the following security version:

• 3.x users should upgrade to 2.3.3
• 2.x users should upgrade to 2.2.2
• 1.x users should upgrade to 2.1.2
• 0.x users should upgrade to 2.0.15
• Versions that are no longer supported should be upgraded to their respective security versions

Reference link: https://pivotal.io/security/cve-2018-1260

CVE-2018-1261 (Critical)

Part of the spring-integration-zip version exposes an arbitrary file write vulnerability that can be implemented using specially crafted zip archives (which also affect other compressed files, bzip2, tar, xz, war, cpio, and 7z). The compressed file contains The path traverses the file name. So when the file name is connected to the target extraction directory, the final path ends outside the target folder.

This only happens when an application using this library accepts and unpacks untrusted zip files.

Affected versions:

• Spring Integration Zip Community Extension Project version 1.0.0.RELEASE

Solution:

Upgrade to the following security version:

• 0.1.RELEASE

At the same time, you should avoid extracting unexplained zip files.

Reference link: https://pivotal.io/security/cve-2018-1261