[
https://issues.apache.org/jira/browse/TIKA-2716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603335#comment-16603335
]
Konstantin Gribov commented on TIKA-2716:
-----------------------------------------
Won't Fix because {{spring-*}} is excluded from dependency tree now (see
TIKA-2721)
> Sonatype Nexus auditor is reporting that spring framework vesrion used by
> Tika 1.18 is vulnerable
> -------------------------------------------------------------------------------------------------
>
> Key: TIKA-2716
> URL: https://issues.apache.org/jira/browse/TIKA-2716
> Project: Tika
> Issue Type: Bug
> Components: core
> Affects Versions: 1.18
> Reporter: Abhijit Rajwade
> Assignee: Konstantin Gribov
> Priority: Major
> Fix For: 2.0, 1.19
>
>
> Sonatype Nexus auditor is reporting that spring framework version used by
> Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non
> vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
>
> Refer following details
>
> Issue
> [CVE-2018-1270|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1270]
>
> Source National Vulnerability Database
>
> Severity
> CVE CVSS 3.0: 9.8
> CVE CVSS 2.0: 7.5
> Sonatype CVSS 3.0: 9.8
>
> Weakness
> CVE CWE: [358|https://cwe.mitre.org/data/definitions/358.html]
>
> Description from CVE
> Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to
> 4.3.15 and older unsupported versions, allow applications to expose STOMP
> over WebSocket endpoints with a simple, in-memory STOMP broker through the
> spring-messaging module. A malicious user (or attacker) can craft a message
> to the broker that can lead to a remote code execution attack.
> Explanation
> The Spring Framework {{spring-messaging}} module is vulnerable to Remote Code
> Execution (RCE). The {{getMethods()}} method in the
> {{ReflectiveMethodResolver}} class, the {{canWrite}} method in the
> {{ReflectivePropertyAccessor}} class, and the {{filterSubscriptions()}}
> method in the {{DefaultSubscriptionRegistry}} class do not properly restrict
> SpEL expression evaluation. A remote attacker can exploit this vulnerability
> by crafting a request to an exposed STOMP endpoint and injecting a malicious
> payload into the {{selector}} header. The application would then execute the
> payload via a call to {{expression.getValue()}} whenever a new message is
> sent to the broker.
>
> Detection
> The application is vulnerable by using this component.
>
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> tika-app-1.18.jar *<=* ReflectivePropertyAccessor.class : [3.0.0.RELEASE ,
> 4.3.15.RELEASE)
> tika-app-1.18.jar *<=* ReflectiveMethodResolver.class : [3.0.0.RELEASE ,
> 4.3.15.RELEASE)
>
> Advisories
> Attack: [http://www.polaris-lab.com/index.php/archives/501/]
> Attack:
> [https://chybeta.github.io/2018/04/07/spring-messaging-Remote...|https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/]
> Project: [https://jira.spring.io/browse/SPR-16588]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
