Security

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Similar to Apache Struts flaw that stuffed Equifax

By John Leyden

2 SHARE

Pivotal Labs' Spring Data REST project has a serious security hole that needs patching.

Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

The critically rated remote code execution vulnerability (CVE-2017-8046) was discovered by security researchers at Semmle, who went public with their findings last week. Pivotal issued a patch for a flaw it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

Pivotal's advisory crediting Semmle/lgtm for uncovering the vulnerability came out in late September.

In response to queries from El Reg, lgtm.com chief exec Oege de Moor explained why researchers had delayed for months before going public with details of the vulnerability.

"We worked closely with Pivotal on the timeline for publishing the blog post. Due to the severity of the issue, Brian Dussault (the director of engineering for Pivotal) wanted to make sure all users of Spring Data REST had sufficient time to update. So the delay is due to the Semmle/lgtm team taking its responsibilities extremely seriously."

The fix is a candidate for early triage not least because the remote code execution vulnerability it addresses is similar to the weaknesses found in Apache Struts, which was determined as the root cause of the infamous Equifax breach.

The critical flaw affects various projects in Pivotal Spring. Left unresolved, it allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data.

The vuln was found by security researcher Man Yue Mo at Semmle — the team behind the QL code inspection tool lgtm.

This vulnerability is caused by the way Spring's own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.

Pivotal's Spring Framework is a popular platform for building web applications. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

"Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services," Semmle said.

The following Spring products and components are affected:

Users are strongly advised to upgrade to the latest versions of those components. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Party like it's 1999: Packets of death, code exec menace Cisco gear

Annoying flaws found, patched in Fabric Services, NX-OS, StarOS, VOIP kit

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Cisco patches IOS in response to boffins' IKE-busting breakthrough

Switchzilla issues update for authentication bypass flaw

Telco IT admins on red alert as Cisco flings out patches for security holes in policy toolkit

Twenty-five bugs writhing on the netops floor this week

Single single-sign-on SNAFU threatens three Cisco products

Firepower, AnyConnect and ASA appliances and clients need patches