Critical flaw in Pivotal’s Spring Data REST allows to hack any machine that runs an application built on its components

Pierluigi Paganini March 05, 2018

A critical flaw in Pivotal’s Spring Data REST allows remote attackers to execute arbitrary commands on any machine that runs an application built using its components.

Pivotal’s Spring Data REST project is affected by a critical vulnerability, tracked as CVE-2017-8046, that was discovered by security researchers at Semmle/lgtm.

Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.

Spring Data REST builds on top of Spring Data repositories, it allows to expose hypermedia-driven HTTP resources (collection, item, and association resources) representing your model) for aggregates contained in the model.

The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.

The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.

“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world’s most popular framework for building web applications.” reads the security advisory published by Semmle/lgtm. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”

Pivotal's Spring Data REST

This flaw ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” continues the advisory.

Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal.

Researchers from lgtm.com have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.

The experts urge to apply the fix because it allows remote attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.

“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained Man Yue Mo, lgtm.com security researcher at Semmle who discovered the issue.

The affected Spring products and components are:

  • Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
    • (Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
  • Spring Boot, versions prior to 2.0.0M4
    • (when using the included Spring Data REST component: spring-boot-starter-data-rest)
  • Spring Data, versions prior to Kay-RC3

Hurry up, upgrade to the latest versions the aabove components.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Spring Data REST, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment