Bug 737611 (CVE-2011-2894)

Summary: CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: brms-jira, djorm, mjc, rcvalle, tkirby, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-22 23:57:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 738901    
Bug Blocks: 737623    

Description Jan Lieskovsky 2011-09-12 17:36:53 UTC 
Multiple security flaws were found in the way the Spring Framework and Spring Security tools de-serialized certain Java objects. A remote attacker could use this flaw to execute chosen commands on the server (by serializing a sub-classed DefaultListableBeanFactory instance from the client to the server using the "java.lang.Runtime" class, Spring Framework) or bypass the server-side checking of the submitted authentication token (Spring Security).

References:
[1] http://www.securityfocus.com/archive/1/519593/30/0/threaded
[2] http://www.springsource.com/security/cve-2011-2894
Comment 1 Jan Lieskovsky 2011-09-12 17:39:07 UTC 
Sample PoC (from [1]):
======================

<quote>
Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
</quote>
Comment 4 errata-xmlrpc 2011-09-22 17:04:46 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.1.0

Via RHSA-2011:1334 https://rhn.redhat.com/errata/RHSA-2011-1334.html