[jira] [Created] (JUDDI-1003) spring-web jar supplied with latest JUDDI distribution has security vulnerability

Wed, 15 Jan 2020 05:42:03 -0800 

Amol Bhonsle created JUDDI-1003:
-----------------------------------

             Summary: spring-web jar supplied with latest JUDDI distribution 
has security vulnerability
                 Key: JUDDI-1003
                 URL: https://issues.apache.org/jira/browse/JUDDI-1003
             Project: jUDDI
          Issue Type: Bug
          Components: juddi-tomcat
    Affects Versions: 3.3.7, 3.3.6
            Reporter: Amol Bhonsle


The jar for spring-web (JUDDI 3.3.7 comes with spring-web-3.2.18.RELEASE) which 
is provided in distribution has following Security Vulnerability.

 

The {{org.springframework:spring-web}} package is vulnerable to deserialization 
of untrusted data leading to Remote Code Execution (RCE).

The {{readRemoteInvocation}} method in {{HttpInvokerServiceExporter.class}} 
does not properly verify or restrict untrusted objects prior to deserializing 
them. An attacker can exploit this vulnerability by sending malicious requests 
containing crafted objects, which when deserialized, execute arbitrary code on 
the vulnerable system.

 

The {{spring-core}} and {{spring-web}} modules of Spring Framework are 
vulnerable to a multipart content pollution vulnerability. The 
{{generateMultipartBoundary()}} method in the {{MimeTypeUtils}} class uses a 
predictable method of generating random values to use as boundary values for 
multipart requests to other servers. This means that an attacker may be able to 
predict the boundary values and inject them into requests at unexpected 
locations, causing the recipient server to incorrectly interpret the multipart 
request. This will result in unexpected behavior depending on the requests 
being processed, including privilege escalation if authorization data is sent 
in the multipart request.

Note:
{quote}In order for the attacker to succeed, they would have to be able to 
guess the multipart boundary value chosen by server A for the multipart request 
to server B, which requires the attacker to also have control of the server or 
the ability to see the HTTP log of server A through a separate attack vector.
{quote}
 

Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The 
{{HiddenHttpMethodFilter}} class lets an attacker change the HTTP request 
method to {{TRACE}}. An attacker can exploit this behavior with an Cross-Site 
Scripting (XSS) attack by sending a TRACE request and recovering information 
that would not normally be accessible, such as Cookies with the HTTPOnly flag.

 

Please check and provide fix for this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to