Spring-core unintended code execution in deserialization

CVSS: 9.0
Due to the behavior of the SerializableTypeWrapper in the Spring framework , an arbitrary code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is on the classpath.

The intended behavior of SerializableTypeWrapper$MethodInvokeTypeProvider is to allow for the invocation of any method on the Java classpath. The SerializableTypeWrapper$MethodInvokeTypeProvider class implements Serializable and therefore can be included in a serialized object. A combination of the SerializableTypeWrapper's intended functionality and because it is serializable allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing arbitrary code execution.

The application is vulnerable if it allows deserialization of untrusted data.
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: Any serializable object that allows reflection (dynamic method invocation) or execution of dangerous functionality will be subject to the same exploit.

Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk