Security

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Similar to Apache Struts flaw that stuffed Equifax

By John Leyden

2 SHARE

Pivotal Labs' Spring Data REST project has a serious security hole that needs patching.

Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

The critically rated remote code execution vulnerability (CVE-2017-8046) was discovered by security researchers at Semmle, who went public with their findings last week. Pivotal issued a patch for a flaw it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

Pivotal's advisory crediting Semmle/lgtm for uncovering the vulnerability came out in late September.

In response to queries from El Reg, lgtm.com chief exec Oege de Moor explained why researchers had delayed for months before going public with details of the vulnerability.

"We worked closely with Pivotal on the timeline for publishing the blog post. Due to the severity of the issue, Brian Dussault (the director of engineering for Pivotal) wanted to make sure all users of Spring Data REST had sufficient time to update. So the delay is due to the Semmle/lgtm team taking its responsibilities extremely seriously."

The fix is a candidate for early triage not least because the remote code execution vulnerability it addresses is similar to the weaknesses found in Apache Struts, which was determined as the root cause of the infamous Equifax breach.

The critical flaw affects various projects in Pivotal Spring. Left unresolved, it allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data.

The vuln was found by security researcher Man Yue Mo at Semmle — the team behind the QL code inspection tool lgtm.

This vulnerability is caused by the way Spring's own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.

Pivotal's Spring Framework is a popular platform for building web applications. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

"Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services," Semmle said.

The following Spring products and components are affected:

Users are strongly advised to upgrade to the latest versions of those components. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

We're two weeks into 2019, and an email can potentially knacker your Cisco message box – plus other bugs to fix

Process data, crash, restart, process data, crash, restart...

If at first you don't succeed, you may well be Cisco: WebEx patch needs its own patch

Updated Switchzilla has a second go at fixing videoconferencing app's 'I'm the captain, now' hole

From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap

Patch your vid conferencing software to stop malware, users nabbing admin rights

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Cisco and Pure shove mini AI in FlashStack converged systems

Entry-level AIRI equivalent

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

Cisco firewalls under attack – and there's no patch: Too many SIPs and they drown in data

Denial-of-service flaw exploited by miscreants in the wild, networking kit giant warns

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up