Two New Critical Vulnerabilities found in Spring Framework

By April 11, 2018 Alerts

Apps Built on Spring Framework at Risk:

Two new critical vulnerabilities brings the total to six new vulnerabilities in a week.

Customer Alert 20180411.

The popular web application development framework Spring has released patches for another two critical vulnerabilities. This follows on from the four vulnerabilities in our 20180410 alert.

CVE-2018-1273: is a Remote Code Execution critical severity vulnerability affecting Spring Data Commons. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding that can lead to a remote code execution attack.

CVE-2018-1274: is a Critical Severity Vulnerability Denial of Service vulnerability with Spring Data Commons. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Read more about these CVEs at Spring’s website.

Waratek Advice

  • Waratek Patch customers can deploy the corresponding Waratek Virtual Patches to be protected against the new Spring vulnerabilities.
  • Waratek Enterprise customers are already protected by the built-in rules that require no source code changes and produce no false-positives.

All of the CVE’s listed above can be remediated by applying Waratek virtual patches that are the functional equivalent to the Spring Framework physical patches, with no source code changes, no recompilation, no application downtime and no version upgrade required.

Apart from the virtual patches, Waratek also provides active zero-day protection using built-in rules that require no configuration. Specifically:

CVE-2018-1273: Waratek’s File Security Rule controls and safe-guards all process forking. Using this rule, all exploits of these vulnerabilities that depend on process forking will fail. Waratek customers that have deployed this security rule in production are already protected against all zero-day remote command execution attacks, including CVE-2018-1273.

For more information about the Spring vulnerabilities or how Waratek protects them, please contact your Waratek representative or contact us by email to schedule a demonstration or free trial.



Author News

More posts by News