[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities
- From: s2-security <s2-security@xxxxxxxxxx>
- Date: Fri, 9 Sep 2011 01:40:50 -0700
CVE-2011-2894: Spring Framework and Spring Security serialization-based
remoting vulnerabilities
Severity: Critical
Versions Affected:
Spring Framework:
3.0.0 to 3.0.5
Spring Security:
2.0.0 to 2.0.6
3.0.0 to 3.0.5
Earlier versions may also be affected
Description:
Several issues have been reported which may affect applications which
de-serialize objects from an untrusted source such as a remote client. It is
possible for a malicious client to inject undesirable behaviour into the server
by serializing proxies rather than specific class instances, or by taking
advantage of internal AOP interfaces which were being exposed through the
remote service, in addition to the service interface.
Example:
It is possible to serialize a sub-classed DefaultListableBeanFactory instance
from the client to the server and use it to execute chosen commands on the
server, using the "java.lang.Runtime" class. The attack can be executed by
serializing a java.lang.Proxy instance in combination with an InvocationHandler
or by injecting the exploit as a substitute target source through the exposed
org.springframework.aop.framework.Advised interface of an exported remote
service.
Spring Security's remoting allows an authentication token (an implementation of
the Authentication interface) to be passed from the client, which is
authenticated on the server. By crafting a proxy instance, it is possible to
circumvent the server-side checking of the submitted token.
Mitigation:
Applications which use serialization-based remoting are likely to be
vulnerable. In the long-term, we would recommend users migrate away from
serialization-based remoting in cases where the client cannot be trusted, as it
is a potential source of vulnerabilities in both Spring and non-Spring
applications.
All users may mitigate this issue by upgrading to Spring Framework 3.0.6 and
Spring Security 3.0.6. Spring Framework users should make use of the additional
features introduced to prevent deserialization of malicious proxies. These are
described below.
Users of Spring Security 2.0.x may upgrade to 2.0.7
Fix:
RemoteInvocationSerializingExporter (the base class for
HttpInvokerServiceExporter) now has an "acceptProxyClasses" flag which should
be set to false if using Spring remoting. This will prevent any deserialization
of proxies through Spring remoting, thus providing additional protection
against future attacks of this kind which may use other serializable classes.
DefaultListableBeanFactory instances can no longer be deserialized other than
through a SerializedBeanFactoryReference, which resolves to an existing bean
factory instance on the server side. In addition, the serialization ID can be
customized, to prevent a client from guessing it, by setting a value for
"contextId" in the web.xml file as a context-param and as an init-param for
instances of FrameworkServlet (such as Spring's DispatcherServlet).
RemoteExporter now uses an "opaque" proxy to limit exported methods to those of
the service interface. This prevent access to interfaces such as
org.springframework.aop.framework.Advised.
Spring Security remoting has been changed to prevent the submission of an
Authentication instance by a remote client. It now only supports
username/password authentication. This removes any possibility of an untrusted
Authentication object being created on the server and prevents any of the
associated attack vectors.
Credit:
The issue was discovered by Wouter Coekaerts (http://wouter.coekaerts.be/).
History:
2011-09-09: Original advisory
References:
[1] http://www.springsource.com/security/cve-2011-2731