Bug 737611 (CVE-2011-2894) - CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
Summary: CVE-2011-2894 Spring Framework, Spring Security: Chosen commands execution o...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2894
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20110909,repo...
Depends On: 738901
Blocks: 737623
TreeView+ depends on / blocked
 
Reported: 2011-09-12 17:36 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-22 23:57:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1334 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 5.1.0 security update 2011-09-22 17:04:41 UTC

Description Jan Lieskovsky 2011-09-12 17:36:53 UTC
Multiple security flaws were found in the way the Spring Framework and Spring Security tools de-serialized certain Java objects. A remote attacker could use this flaw to execute chosen commands on the server (by serializing a sub-classed DefaultListableBeanFactory instance from the client to the server using the "java.lang.Runtime" class, Spring Framework) or bypass the server-side checking of the submitted authentication token (Spring Security).

References:
[1] http://www.securityfocus.com/archive/1/519593/30/0/threaded
[2] http://www.springsource.com/security/cve-2011-2894

Comment 1 Jan Lieskovsky 2011-09-12 17:39:07 UTC
Sample PoC (from [1]):
======================

<quote>
Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
</quote>

Comment 4 errata-xmlrpc 2011-09-22 17:04:46 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.1.0

Via RHSA-2011:1334 https://rhn.redhat.com/errata/RHSA-2011-1334.html


Note You need to log in before you can comment on or make changes to this bug.