Bug 1800617 (CVE-2020-5397)

Summary: CVE-2020-5397 springframework: CSRF attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, chazlett, dblechte, dfediuck, dingyichen, drieden, eedri, etirelli, extras-orphan, ggaughan, gvarsami, hvyas, ibek, janstey, java-sig-commits, jcoleman, jochrist, jolee, jschatte, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lef, lsurette, mgoldboi, michal.skrivanek, mnovotny, nwallace, paradhya, pjindal, puebele, puntogil, Rhev-m-bugs, rrajasek, rsynek, rwagner, sbonazzo, sdaley, sherold, sisharma, tcunning, tkirby, vbellur, vhalbert, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: springframework 5.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in springframework. CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints are possible. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this is Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-18 10:31:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1800618    
Bug Blocks: 1800619    

Description Guilherme de Almeida Suckevicz 2020-02-07 14:35:03 UTC 
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Reference:
https://pivotal.io/security/cve-2020-5397
Comment 1 Guilherme de Almeida Suckevicz 2020-02-07 14:35:31 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1800618]
Comment 2 Kunjan Rathod 2020-02-09 23:24:03 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 5 Doran Moppert 2020-03-18 04:48:52 UTC 
Statement:

This issue does not affect the version of SpringFramework (embedded in rhevm-dependencies) shipped with Red Hat Gluster Storage 3, as it does not provide support for spring-web.

This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
Comment 6 Product Security DevOps Team 2020-03-18 10:31:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5397