Security

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Similar to Apache Struts flaw that stuffed Equifax

By John Leyden

2 SHARE

Pivotal Labs' Spring Data REST project has a serious security hole that needs patching.

Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

The critically rated remote code execution vulnerability (CVE-2017-8046) was discovered by security researchers at Semmle, who went public with their findings last week. Pivotal issued a patch for a flaw it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

Pivotal's advisory crediting Semmle/lgtm for uncovering the vulnerability came out in late September.

In response to queries from El Reg, lgtm.com chief exec Oege de Moor explained why researchers had delayed for months before going public with details of the vulnerability.

"We worked closely with Pivotal on the timeline for publishing the blog post. Due to the severity of the issue, Brian Dussault (the director of engineering for Pivotal) wanted to make sure all users of Spring Data REST had sufficient time to update. So the delay is due to the Semmle/lgtm team taking its responsibilities extremely seriously."

The fix is a candidate for early triage not least because the remote code execution vulnerability it addresses is similar to the weaknesses found in Apache Struts, which was determined as the root cause of the infamous Equifax breach.

The critical flaw affects various projects in Pivotal Spring. Left unresolved, it allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

RESTful APIs are commonly publicly accessible, creating a mechanism for hackers to easily gain control over production servers and obtain sensitive user data.

The vuln was found by security researcher Man Yue Mo at Semmle — the team behind the QL code inspection tool lgtm.

This vulnerability is caused by the way Spring's own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.

Pivotal's Spring Framework is a popular platform for building web applications. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These interfaces are widely used.

"Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services," Semmle said.

The following Spring products and components are affected:

Users are strongly advised to upgrade to the latest versions of those components. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Cisco coughs up baker's dozen of vulns and other security nasties

Get patching – except for the ones where you, er, can't

Party like it's 1999: Packets of death, code exec menace Cisco gear

Annoying flaws found, patched in Fabric Services, NX-OS, StarOS, VOIP kit

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

America-China tariff tiff could flip the switch on Cisco price hikes

Chief exec warns Prez Trump's proposed soaring import charges will hit biz, customers

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court