Remote Code Execution Flaw found in Spring Framework

By April 10, 2018 Alerts

Apps Built on Spring Framework at Risk:

Four new Spring vulnerabilities range from Critical to Low.

Customer Alert 20180410.

The popular web application development framework Spring has released patches for four newly identified vulnerabilities, the most serious of which could lead to a remote code execution attack.

CVE-2018-1270 & CVE-2018-1275 allow Remote Code Execution in Spring-messaging. They are rated as Critical flaws and affect Spring Framework versions 4.3.x and 5.x, as well as older versions that are no longer supported. Attackers can use these vulnerabilities to launch a remote code execution exploit.

CVE-2018-1271 is a High rated vulnerability that affects applications that use Spring MVC to serve static resources from a Windows file system. Attackers can access restricted resources by sending a request to a specially crafted URL that can lead a directory traversal attack.

Applications that don’t use Tomcat or WildFly as their server, don’t use Windows or don’t use the “file:” scheme to serve files from the file system are not affected.

CVE-2018-1272 is a Multipart Content Pollution vulnerability that impacts Spring Framework 5.0.5 and 4.3.15, but is rated Low because exploitation requires additional attack vectors.

Read more about these CVEs at Spring’s website.

Waratek Advice

  • Waratek Patch customers can deploy the corresponding Waratek Virtual Patches to be protected against the new Spring vulnerabilities.
  • Waratek Enterprise customers are already protected by the built-in rules that require no source code changes and produce no false-positives.

All of the CVE’s listed above can be remediated by applying Waratek virtual patches that are the functional equivalent to the Spring Framework physical patches, with no source code changes, no recompilation, no application downtime and no version upgrade required.

Apart from the virtual patches, Waratek also provides active zero-day protection using built-in rules that require no configuration. Specifically:

CVE-2018-1270 & CVE-2018-1275: Waratek’s File Security Rule controls and safe-guards all process forking. Using this rule, all exploits of these vulnerabilities that depend on process forking will fail. Waratek customers that have deployed this security rule in production are already protected against all zero-day remote command execution attacks, including CVE-2018-1270 & CVE-2018-1275.

CVE-2018-1271: Waratek’s built-in Path Traversal Security Rule protects against path/directory traversal exploits on all platforms with no configuration required and no false positives are produced by the rule. Waratek customers that have deployed this security rule in production are already protected against all zero-day path traversal attacks, including CVE-2018-1271.

For more information about the Spring vulnerabilities or how Waratek protects them, please contact your Waratek representative or contact us by email to schedule a demonstration or free trial.



Author News

More posts by News