Vulnerability in Pivotal’s Spring Data REST allows remote hackers to execute arbitrary commands on any machine that runs an application built using its components.
The vulnerability was tracked as CVE-2017-8046 that was discovered by information security training experts at Semmie/lgtm. Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.
Spring Data REST builds on top of Spring Data repositories; it allows exposing hypermedia-driven HTTP resources for aggregates contained in the model. The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.
The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.
“Information security training researchers at lgtm.com have discovered a remote code execution vulnerability that affects various projects in Pivotal Spring.” reads the security advisory published by the company that discovers the flaw. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”
This vulnerability ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.
“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” comments the information security training professional.
Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.
“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal. Information security training researchers have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.
The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.
“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained the information security training specialist who discovered the flaw.
The affected Spring products and components are:
- Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
- Spring Boot, versions prior to 2.0.0M4
(When using the included Spring Data REST component: spring-boot-starter-data-rest)
- Spring Data, versions prior to Kay-RC3
Information security training professionals recommend upgrade to the latest versions the above components.