Bug 737608 (CVE-2011-2730) - CVE-2011-2730 Spring Framework: Information (internal server information, classpath, local working directories, session IDs) disclosure
Summary: CVE-2011-2730 Spring Framework: Information (internal server information, cla...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20110909,repo...
: 901574 (view as bug list)
Depends On: 794234 892891 918348
Blocks: 737623 789173 835396 849517 883225
TreeView+ depends on / blocked
 
Reported: 2011-09-12 17:22 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-18 15:31:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0191 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:30:08 UTC
Red Hat Product Errata RHSA-2013:0192 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:28:23 UTC
Red Hat Product Errata RHSA-2013:0193 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:42:29 UTC
Red Hat Product Errata RHSA-2013:0194 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 update 2013-01-24 23:08:14 UTC
Red Hat Product Errata RHSA-2013:0195 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:41:24 UTC
Red Hat Product Errata RHSA-2013:0196 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:55:46 UTC
Red Hat Product Errata RHSA-2013:0197 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-24 23:54:22 UTC
Red Hat Product Errata RHSA-2013:0198 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 update 2013-01-25 00:07:17 UTC
Red Hat Product Errata RHSA-2013:0221 normal SHIPPED_LIVE Important: JBoss Enterprise BRMS Platform 5.3.1 update 2013-02-01 01:23:18 UTC
Red Hat Product Errata RHSA-2013:0533 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 5.3.1 update 2013-02-21 02:42:25 UTC
Red Hat Product Errata RHSA-2013:0953 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 5.2.2 security update 2013-06-18 18:48:45 UTC

Description Jan Lieskovsky 2011-09-12 17:22:42 UTC
It was found that in certain circumstances, Spring framework evaluated Expression Language (EL) expressions twice: once by the container, and once by the tag. A remote attacker could use this flaw to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server, via a specially-crafted HTTP request.

References:
[1] http://www.securityfocus.com/archive/1/519586/30/0/threaded
[2] http://bit.ly/ExpressionLanguageInjection
[3] http://www.springsource.com/security/cve-2011-2730

Comment 1 Jan Lieskovsky 2011-09-12 17:24:39 UTC
Sample PoC (from [1]):
======================

<quote>

Example:
A request of the form:
http:///vulnerable.com/foo?message=${applicationScope}

to a page that contains:
<spring:message code="${param['message']}" text=""/>

will result in output that contains internal server information including the classpath and local working directories. Session IDs can be obtained using similar techniques.

</quote>

Comment 4 David Jorm 2011-10-14 05:15:47 UTC
Statement:

This flaw was originally reported as resulting in information disclosure only, and was therefore assessed as having low security impact. On this basis, it was planned that future updates to JBoss products may address this flaw. New research [0] has now shown that this flaw can lead to remote code execution. The security impact has been re-assessed as important, and Red Hat is now working on patches for all affected products.

[0] http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/

Comment 6 Jan Lieskovsky 2013-01-18 16:16:44 UTC
*** Bug 901574 has been marked as a duplicate of this bug. ***

Comment 7 errata-xmlrpc 2013-01-24 18:09:21 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html

Comment 8 errata-xmlrpc 2013-01-24 18:32:16 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 5

Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html

Comment 9 errata-xmlrpc 2013-01-24 18:33:02 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6

Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html

Comment 10 errata-xmlrpc 2013-01-24 18:45:20 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6

Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html

Comment 11 errata-xmlrpc 2013-01-24 18:46:05 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4

Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html

Comment 12 errata-xmlrpc 2013-01-24 18:58:19 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4

Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html

Comment 13 errata-xmlrpc 2013-01-24 18:59:13 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 5

Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html

Comment 14 errata-xmlrpc 2013-01-24 19:08:19 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html

Comment 15 errata-xmlrpc 2013-01-31 20:31:13 UTC
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1

Via RHSA-2013:0221 https://rhn.redhat.com/errata/RHSA-2013-0221.html

Comment 16 errata-xmlrpc 2013-02-20 21:43:40 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html

Comment 17 errata-xmlrpc 2013-06-18 14:49:19 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 5.2.2

Via RHSA-2013:0953 https://rhn.redhat.com/errata/RHSA-2013-0953.html


Note You need to log in before you can comment on or make changes to this bug.