Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications.
In an advisory released today by Pivotal, the company detailed following three vulnerabilities discovered in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions:
- Critical: Remote Code Execution with spring-messaging (CVE-2018-1270)
- High: Directory Traversal with Spring MVC on Windows (CVE-2018-1271)
- Low: Multipart Content Pollution with Spring Framework (CVE-2018-1272)
Vulnerable Spring Framework versions expose STOMP clients over WebSocket endpoints with an in-memory STOMP broker through the 'spring-messaging' module, which could allow an attacker to send a maliciously crafted message to the broker, leading to a remote code execution attack (CVE-2018-1270).
"The use of authentication and authorization of messages, such as the one provided by Spring Security, can limit exposure to this vulnerability only to users who are allowed to use the application," the company suggests.
The second bug (CVE-2018-1271) resides in Spring's Web model-view-controller (MVC) that allows attackers to execute directory traversal attack and access restricted directories when configured to serve static resources (e.g., CSS, JS, images) from a file system on Windows.
This vulnerability doesn't work if you are not using Windows to serve content and can be avoided if you don't serve files from the file system or use Tomcat/WildFly as the server.
Pivotal has released Spring Framework 5.0.5 and 4.3.15, which include fixes for all the three vulnerabilities. The company has also released Spring Boot 2.0.1 and 1.5.11, that match the patched Spring Framework versions.
So developers and administrators are highly recommended to upgrade their software to the latest versions immediately.