Bug 737608 (CVE-2011-2730)

Summary: CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: brms-jira, djorm, jrusnack, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-18 15:31:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 794234, 892891, 918348    
Bug Blocks: 737623, 789173, 835396, 849517, 883225    

Description Jan Lieskovsky 2011-09-12 17:22:42 UTC
It was found that in certain circumstances, Spring framework evaluated Expression Language (EL) expressions twice: once by the container, and once by the tag. A remote attacker could use this flaw to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server, via a specially-crafted HTTP request.

References:
[1] http://www.securityfocus.com/archive/1/519586/30/0/threaded
[2] http://bit.ly/ExpressionLanguageInjection
[3] http://www.springsource.com/security/cve-2011-2730

Comment 1 Jan Lieskovsky 2011-09-12 17:24:39 UTC
Sample PoC (from [1]):
======================

<quote>

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the classpath and local working directories. Session IDs can be obtained using similar techniques.

</quote>

Comment 4 David Jorm 2011-10-14 05:15:47 UTC
Statement:

This flaw was originally reported as resulting in information disclosure only, and was therefore assessed as having low security impact. On this basis, it was planned that future updates to JBoss products may address this flaw. New research [0] has now shown that this flaw can lead to remote code execution. The security impact has been re-assessed as important, and Red Hat is now working on patches for all affected products.

[0] http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/

Comment 6 Jan Lieskovsky 2013-01-18 16:16:44 UTC
*** Bug 901574 has been marked as a duplicate of this bug. ***

Comment 7 errata-xmlrpc 2013-01-24 18:09:21 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html

Comment 8 errata-xmlrpc 2013-01-24 18:32:16 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html

Comment 9 errata-xmlrpc 2013-01-24 18:33:02 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html

Comment 10 errata-xmlrpc 2013-01-24 18:45:20 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html

Comment 11 errata-xmlrpc 2013-01-24 18:46:05 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html

Comment 12 errata-xmlrpc 2013-01-24 18:58:19 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html

Comment 13 errata-xmlrpc 2013-01-24 18:59:13 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html

Comment 14 errata-xmlrpc 2013-01-24 19:08:19 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html

Comment 15 errata-xmlrpc 2013-01-31 20:31:13 UTC
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html

Comment 16 errata-xmlrpc 2013-02-20 21:43:40 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html

Comment 17 errata-xmlrpc 2013-06-18 14:49:19 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html