Spring-core unintended code execution in deserialization

Severity
CVSS: 9.0
 
Explanation
Due to the behavior of the SerializableTypeWrapper in the Spring framework , an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is on the classpath.

The intended behavior of SerializableTypeWrapper$MethodInvokeTypeProvider is to allow for the invocation of any method on the Java classpath. The SerializableTypeWrapper$MethodInvokeTypeProvider class implements Serializable and therefore can be included in a serialized object. A combination of the SerializableTypeWrapper's intended functionality and because it is serializable allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.

Detection
The application is vulnerable if it allows deserialization of untrusted data.
 
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.

Categories
Data
Have more questions? Submit a request

0 Comments

Article is closed for comments.