[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2011-2731: Spring Security privilege escalation when using RunAsManager
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: CVE-2011-2731: Spring Security privilege escalation when using RunAsManager
- From: s2-security <s2-security@xxxxxxxxxx>
- Date: Fri, 9 Sep 2011 01:41:03 -0700
CVE-2011-2731: Spring Security privilege escalation when using RunAsManager
Severity: Moderate
Versions Affected:
2.0.0 to 2.0.6
3.0.0 to 3.0.5
Earlier versions may also be affected
Description:
Spring Security provides a mechanism (RunAsManager) to allow particular
operations to run with a different set of privileges than the predefined user.
The implementation contains a race condition whereby the escalated privileges
could also be used in a different invocation in another thread.
Example:
If the RunAsManager returns an Authentication object for the current
invocation, the security interceptor will temporarily store this in the
security context for the duration of the invocation. This authentication object
would be shared with other concurrently executing threads, leading to a
possible escalation of privileges in those threads.
Mitigation:
If you are not using a RunAsManager implementation, then you are not affected
by this issue.
All users may mitigate this issue by upgrading to 3.0.6
Users of 2.0.x may upgrade to 2.0.7
Fix:
This issue was fixed by ensuring that the a new thread-local security context
is created during run-as replacement and the temporary authentication token
copied to it.
Credit:
The issue was discovered by Rob Winch.
History:
2011-09-09: Original advisory
References:
[1] http://www.springsource.com/security/cve-2011-2731