Serious Flaws Endanger Apps Built with Spring Framework

Developers of the popular Spring framework for developing Java web applications patched three vulnerabilities this past week, including a critical one that could be exploited for remote code execution.

The most serious flaw is located in the spring-messaging module, which allows applications to expose the Simple Text Oriented Messaging Protocol (STOMP) over WebSocket endpoints via an in-memory STOMP broker. Attackers can exploit the issue to gain remote code execution by sending specifically crafted messages to the broker.

The vulnerability, which is tracked as CVE-2018-1270, affects Spring Framework versions 4.3.x and 5.x, as well as older versions that are no longer supported and won’t receive patches. Users are strongly advised to upgrade to the newly released Spring Framework 5.0.5 or 4.3.15, depending on which branch they use.

A second high-rated vulnerability, CVE-2018-1271, affects applications that use Spring MVC to serve static resources such as CSS, JS and images from a file system on Windows, as opposed to classpath or the ServletContext. The flaw allows attackers to perform a directory traversal to access restricted resources by sending a request to a specially crafted URL.

Applications that don’t use Tomcat or WildFly as their server, don’t use Windows or don’t use “file:” to serve files from the file system are not affected.

The third vulnerability patched in Spring Framework 5.0.5 and 4.3.15, CVE-2018-1272, can lead to privilege escalation, but is rated low because exploitation requires additional attack vectors.

“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects,” the Spring developers noted in their advisory.

However, for this to succeed, the attacker “would have to be able to guess the multipart boundary value chosen by server A for the multipart request to server B, which requires the attacker to also have control of the server or the ability to see the HTTP log of server A through a separate attack vector.”

Spring has a modular architecture and is very popular with application developers, especially in the enterprise space. According to the results of a 2016 survey with 2040 participants, Spring MVC and Spring Boot are the two most popular web frameworks among Java developers, being used by 43 percent and 29 percent of respondents, respectively.

Intel Warns Users to Remove Mobile Remote Keyboard App

Intel has decided to discontinue one of its mobile applications for Android and iOS that allowed users to remotely control their Intel NUC and Intel Compute Stick devices. The decision was taken after security researchers found dangerous vulnerabilities in the application.

“Intel has issued a Product Discontinuation notice for Intel Remote Keyboard and recommends that users of the Intel Remote Keyboard uninstall it at their earliest convenience,” the company said in a security advisory.

The application has already been de-listed from Apple’s app store and Google Play, but it already has more than 500,000 installations on Android devices alone, so the number of affected users is significant.

The vulnerabilities Intel decided not to patch are serious. One of them is rated 9.0 out of 10 on the CVSS scale and allows network attackers to inject keystrokes as a local user and potentially take over devices controlled through the app.

A second vulnerability (CVSS 8.8) allows a local attacker to inject keystrokes into a remote keyboard session, while the third flaw (CVSS 7.2) allows a local attacker to execute arbitrary code as a privileged user.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin