Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Similar to Apache Struts flaw that stuffed Equifax

Pivotal Labs' Spring Data REST project has a serious security hole that needs patching.

Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

The critically rated remote code execution vulnerability (CVE-2017-8046) was discovered by security researchers at Semmle, who went public with their findings last week. Pivotal issued a patch for a flaw it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

Pivotal's advisory crediting Semmle/lgtm for uncovering the vulnerability came out in late September.

In response to queries from El Reg, lgtm.com chief exec Oege de Moor explained why researchers had delayed for months before going public with details of the vulnerability.

"We worked closely with Pivotal on the timeline for publishing the blog post. Due to the severity of the issue, Brian Dussault (the director of engineering for Pivotal) wanted to make sure all users of Spring Data REST had sufficient time to update. So the delay is due to the Semmle/lgtm team taking its responsibilities extremely seriously."

The fix is a candidate for early triage not least because the remote code execution vulnerability it addresses is similar to the weaknesses found in Apache Struts, which was determined as the root cause of the infamous Equifax breach.

The critical flaw affects various projects in Pivotal Spring. Left unresolved, it allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data.

The vuln was found by security researcher Man Yue Mo at Semmle — the team behind the QL code inspection tool lgtm.

This vulnerability is caused by the way Spring's own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.

Pivotal's Spring Framework is a popular platform for building web applications. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

"Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services," Semmle said.

The following Spring products and components are affected:

  • Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
    • (Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
  • Spring Boot, versions prior to 2.0.0M4
    • (when using the included Spring Data REST component: spring-boot-starter-data-rest)
  • Spring Data, versions prior to Kay-RC3

Users are strongly advised to upgrade to the latest versions of those components. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like