Spring Data REST Vulnerability [CVE-2017-8046]

CUE Number – CVE-2017-8046

A vulnerability in Pivotal’s Spring Data Java web application development framework may allow an authenticated remote attacker to execute arbitrary code on a targeted device.

The Spring Data REST project is used by Java developers to link common additional features to their applications. It is amongst the most popular Java development frameworks, with most modern Java web applications using some REST interfaces.

An error in Spring’s coding language, SpEL, used within Data REST can allow specially crafted PATCH requests to be submitted to a targeted server using HTTP resources. These requests can contain JSON data, which an attacker can use to cause the server to execute any code the attacker wishes.

Key Points

  • At no point in time “various Spring modules” have been affected. The issue has existed in Spring Data REST only.
  • When the CVE (CVE-2017-8046) states a Spring Boot version affected, it does not mean that every Spring Boot project is affected. Only projects that use the particular Spring Data REST module are. We only state the Spring Boot versions in CVEs to allow users to quickly identify whether or not the version of Spring Boot that they are using contains a vulnerable version of Spring Data.
  • Some publications create the impression that all REST APIs built with Spring – including ones manually coded with Spring MVC – are affected. That’s not the case. You’re only affected if you expose HTTP resources that are handled by Spring Data REST.

Affected Platforms

  • Pivotal Spring Data REST – Versions prior to 2.5.12, 2.6.7 and 3.0 RC3
  • Pivotal Spring Boot – Versions prior to 2.0.0M4
  • Pivotal Spring Data – Release trains prior to Kay-RC3

Resolution

Pivotal have issued a patch for the issue as part of their Spring Boot 2.0 update. Users and administrators are encouraged to review and install this patch immediately.




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: