CUE Number – CVE-2017-8046
A vulnerability in Pivotal’s Spring Data Java web application development framework may allow an authenticated remote attacker to execute arbitrary code on a targeted device.
The Spring Data REST project is used by Java developers to link common additional features to their applications. It is amongst the most popular Java development frameworks, with most modern Java web applications using some REST interfaces.
An error in Spring’s coding language, SpEL, used within Data REST can allow specially crafted PATCH requests to be submitted to a targeted server using HTTP resources. These requests can contain JSON data, which an attacker can use to cause the server to execute any code the attacker wishes.
- At no point in time “various Spring modules” have been affected. The issue has existed in Spring Data REST only.
- When the CVE (CVE-2017-8046) states a Spring Boot version affected, it does not mean that every Spring Boot project is affected. Only projects that use the particular Spring Data REST module are. We only state the Spring Boot versions in CVEs to allow users to quickly identify whether or not the version of Spring Boot that they are using contains a vulnerable version of Spring Data.
- Some publications create the impression that all REST APIs built with Spring – including ones manually coded with Spring MVC – are affected. That’s not the case. You’re only affected if you expose HTTP resources that are handled by Spring Data REST.
- Pivotal Spring Data REST – Versions prior to 2.5.12, 2.6.7 and 3.0 RC3
- Pivotal Spring Boot – Versions prior to 2.0.0M4
- Pivotal Spring Data – Release trains prior to Kay-RC3
Pivotal have issued a patch for the issue as part of their Spring Boot 2.0 update. Users and administrators are encouraged to review and install this patch immediately.