Menu
My company's Sonatype scan shows Spring-Web is vulnerable even for the latest version (currently 5.2.3.RELEASE). It says "Found security vulnerability CVE-2016-1000027 with severity 9.8". I noticed CVE-2016-1000027 is added to NATIONAL VULNERABILITY DATABASE on 01/02/2020, and it is about "Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data". Is this an obsolete ticket or it has not be resolved after 4 years?
255
A vulnerability in Spring Cloud Function (CVE-2022-22963) allows adversaries to perform remote code execution (RCE) with only an HTTP request, and the vulnerability affects the majority of unpatched systems.
This issue is resolved from a Spring Framework point of view, see my latest comment summarizing the situation on that issue. Your application is only vulnerable if you're using HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter and reading data from untrusted sources.
Deserializing Java code from untrusted sources is a well-known problem in Java (so, all Java applications and Frameworks!), and this feature might be removed in future Java versions.
Given the nature of this security problem (there's no way to "fix it" besides removing the classes, which will be done in the next major version of Spring Framework), contacting your vendor or your security team is the best course of action. The Spring team is happy to help the community with this matter by providing more context on that issue if needed.
119
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
