Bug 737611 – CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 737611 - (CVE-2011-2894) CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization

Summary:	CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution o...

Status:	CLOSED ERRATA

Aliases:	CVE-2011-2894

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20110909,repo...
Keywords:	Security

Depends On:	738901
Blocks:	737623
	Show dependency tree / graph

Reported:	2011-09-12 13:36 EDT by Jan Lieskovsky
Modified:	2012-07-09 13:42 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-09-22 19:57:09 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1334	normal	SHIPPED_LIVE	Important: JBoss Enterprise SOA Platform 5.1.0 security update	2011-09-22 13:04:41 EDT

Groups: None (edit)

Description Jan Lieskovsky 2011-09-12 13:36:53 EDT

Multiple security flaws were found in the way the Spring Framework and Spring Security tools de-serialized certain Java objects. A remote attacker could use this flaw to execute chosen commands on the server (by serializing a sub-classed DefaultListableBeanFactory instance from the client to the server using the "java.lang.Runtime" class, Spring Framework) or bypass the server-side checking of the submitted authentication token (Spring Security).

References:
[1] http://www.securityfocus.com/archive/1/519593/30/0/threaded
[2] http://www.springsource.com/security/cve-2011-2894

Comment 1 Jan Lieskovsky 2011-09-12 13:39:07 EDT

Sample PoC (from [1]):
======================

<quote>
Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
</quote>

Comment 4 errata-xmlrpc 2011-09-22 13:04:46 EDT

This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.1.0

Via RHSA-2011:1334 https://rhn.redhat.com/errata/RHSA-2011-1334.html

Note You need to log in before you can comment on or make changes to this bug.