Description
CVE ID(s)
Not yet.
Report
Spring Framework provides an abstract base class RemoteInvocationSerializingExporter for defining remote service exporters. A Spring exporter, which is based on this class, deserializes incoming data using ObjectInputStream. Deserializing untrusted data (CWE-502) is easily exploitable and in many cases allows an attacker to execute arbitrary code. Spring Framework also provides two classes that extend RemoteInvocationSerializingExporter:
HttpInvokerServiceExporterSimpleHttpInvokerServiceExporter
CVE-2016-1000027 has been assigned to this issue in Spring Framework. There is no fix for that.
I'd like to propose a new experimental query that looks for unsafe deserialization with Spring exporters:
Many projects have received alerts about CVE-2016-1000027 from security scanners. Since Spring Framework didn't address the issue, they can't just update Spring Framework. Instead, they have to understand the issue and check their code. This query can make their life easier and help them check the code. Moreover, the query can detect unsafe exporters even without scanners that look for known vulnerabilities.
- Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
I wrote a blog post about detecting unsafe deserialization with Spring exporters with CodeQL.
Result(s)
- Unsafe deserialization in HELIX-GR/lab: The server has a endpoint that uses a vulnerable exporter which can lead to RCE in the worst case (depends on a gadget).
- Unsafe deserialization in YAMJ/yamj-v3: The server has a endpoint that uses a vulnerable exporter which can lead to RCE in the worst case (depends on a gadget).