Spring Framework Multiple Security Vulnerability
On April 5, Pivotal released an announcement that there are multiple security flaws in the Spring Framework:
- CVE-2018-1270: Remote Code Execution with spring-messaging
CVE number: CVE-2018-1270
Description: the version 5.*, Version 4.3.* of the Spring Framework and the older versions that are no longer supported. The WebSocket-based STOMP provided by spring-messaging and the spring-websocket module has a WebSocket connection established by an attacker. And send the possibility of malicious attack code to achieve remote code execution attacks, it is recommended to update to the new version as soon as possible. - CVE-2018-1271: Directory Traversal with Spring MVC on Windows
CVE number: CVE-2018-1271
Description: The version 5.*, Version 4.3.* of the Spring Framework, and older versions that are no longer supported. Spring MVC allows applications to provide static resources for their configuration. When this feature is implemented on a Windows system, the attacker The specific resource URL requested by the construction may lead to the effect of directory traversal, and it is recommended to update to the new version as soon as possible. - CVE-2018-1272: Multipart Content Pollution with Spring Framework
CVE number: CVE-2018-1272
Description: The 5.* and 4.3.* versions of the Spring Framework, and older versions that are no longer supported, attack when a Spring MVC or Spring WebFlux server accepts a request to redirect another client to another server. By constructing and contaminating Multipart type requests, it is possible to implement privilege escalation attacks on another server and it is recommended to update to the new version as soon as possible.
Affected version & Solution
The affected versions of the three vulnerability CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 are as follows:
- Spring Framework 5.x (5.0 to 5.0.4) version, it is recommended to update to version 5.0.5
- Spring Framework 4.3.* (4.3 to 4.3.14) version, it is recommended to update to version 4.3.15
- The older versions that are no longer supported, it is recommended to update to version 4.3.15 or 5.0.5
