Bug 737611 (CVE-2011-2894)
Summary: | CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | brms-jira, djorm, mjc, rcvalle, tkirby, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-22 23:57:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 738901 | ||
Bug Blocks: | 737623 |
Description
Jan Lieskovsky
2011-09-12 17:36:53 UTC
Sample PoC (from [1]): ====================== <quote> Example: It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service. Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token. </quote> This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.1.0 Via RHSA-2011:1334 https://rhn.redhat.com/errata/RHSA-2011-1334.html |