Bug 1564405 (CVE-2018-1270)

Summary: CVE-2018-1270 spring-framework: Possible RCE via spring messaging
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: aileenc, alazarot, anstephe, apevec, bmaxwell, bmcclain, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dblechte, dffrench, dimitris, dosoudil, drieden, drusso, eedri, etirelli, fgavrilo, gvarsami, gzaronik, ibek, java-sig-commits, jawilson, jclere, jcoleman, jjoyce, jmadigan, jolee, jondruse, jschatte, jschluet, jshepherd, jstastny, kbasil, kconner, kverlaen, ldimaggi, lef, lgao, lgriffin, lhh, lpeer, lpetrovi, lsurette, markmc, mbabacek, mburns, mgoldboi, michal.skrivanek, mkolesni, myarboro, ngough, nwallace, oourfali, paradhya, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, pwright, rbryant, Rhev-m-bugs, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, slong, ssaha, tcunning, tdecacqu, tkirby, trepel, twalsh, vbellur, vhalbert, vtunka, weli, yjog, ykaul, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20180405,reported=20180405,source=internet,cvss3=9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-20,fedora-all/springframework=notaffected,rhel-8/springframework=notaffected,fsw-6/spring=notaffected,fuse-6/spring=affected/impact=important,fis-2/spring=affected/impact=important,jdv-6/spring=notaffected,brms-5/spring=notaffected,soap-5/spring=notaffected,openstack-9/opendaylight=notaffected,openstack-10/opendaylight=notaffected,openstack-11/opendaylight=notaffected,openstack-12/opendaylight=notaffected,rhes-3/rhevm-dependencies=notaffected,amq-6/spring=notaffected,eap-5/jbossweb=notaffected,eap-7/undertow=notaffected,eap-6/jbossweb=notaffected,jpp-6/spring=notaffected,jbews-2/tomcat=notaffected,jws-3/tomcat=notaffected,rhmap-4/spring=notaffected,rhev-m-4/rhevm-dependencies=notaffected,fuse-7/spring=notaffected
Fixed In Version: springframework 5.0.5, springframework 4.3.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1564409    
Bug Blocks: 1564411    

Description Andrej Nemec 2018-04-06 07:57:28 UTC
Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

External References:

https://pivotal.io/security/cve-2018-1270

Comment 1 Andrej Nemec 2018-04-06 08:04:02 UTC
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1564409]

Comment 4 Chess Hazlett 2018-04-10 17:16:27 UTC
Upstream fix (5.0.5): https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a
The fix in 4.3.15 was incomplete, and a new CVE issued: CVE-2018-1275.

Comment 9 Chess Hazlett 2018-04-16 18:27:26 UTC
Statement:

No Red Hat products are directly affected by this flaw; the products that package some parts of the Spring Framework either do not ship the affected messaging component, or use an older version that is not affected. 

Fuse 6.3 and Fuse Integration Services 2.0 are both not directly affected by the flaw, but both point to the affected versions in their respective Camel-Springboot Maven repository BOMs. Fixes for those repository links will be addressed in advisories via regular patch cycle; customers using Spring stomp messaging from these Maven repositories are advised to update to the new BOMs when available.

Comment 10 errata-xmlrpc 2018-10-17 19:29:15 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939