CVE-2016-1000027 - Pivotal Spring Framework Vulnerability

Abstract

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

The org.springframework:spring-web package is vulnerable to deserialization of untrusted data leading to Remote Code Execution (RCE). The readRemoteInvocation method in HttpInvokerServiceExporter.class does not properly verify or restrict untrusted objects prior to deserializing them. An attacker can exploit this vulnerability by sending malicious requests containing crafted objects, which when deserialized, execute arbitrary code on the vulnerable system.

The Oxygen Feedback product incorporates the Spring Framework as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2016-1000027

Severity: High

CVSS Score: 9.8

The Spring Web 5.2.9.RELEASE module(part of Spring Framework) third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2016-1000027 vulnerability description. However, the Oxygen Feedback product is not affected by this vulnerability because the HttpInvokerServiceExporter class is not used.

Starting with Oxygen Feedback 1.3.1, the Spring Web module was rebuilt after we removed the classes and packages (org.springframework.remoting.caucho, org.springframework.remoting.httpinvoker) where the vulnerability was reported.

Therefore, the Oxygen Feedback product is not impacted by CVE-2016-1000027.