CVE-2017-4971: Remote Code Execution Vulnerability in the Spring Web Flow Framework

Earlier this year, we approached Pivotal with a vulnerability disclosure relating to the Spring Web Flow framework caused by an unvalidated data binding SpEL expression that makes applications built using the framework vulnerable to remote code execution (RCE) attacks if configured with default values. This vulnerability was recently made public on Pivotal’s blog (https://pivotal.io/security/cve-2017-4971). This post will explain in detail where this vulnerability was identified, using actual code samples, along with possible mitigations and details of the vendor fix. Pivotal has rated this as a medium severity issue, however, as is often the case in a specific context this issue could be very significant. The Spring Web Flow is a subproject of the Spring framework and provides several components to implement MVC web applications with integrated flow definition and management. The flows and MVC views can be configured using XML configuration files. The generated servlet / portlet view objects are vulnerable to remote code execution (RCE) attacks, if configured with default values. Proof-of-concept exploitation was performed on the following sample web application: https://github.com/spring-projects/spring-webflow-samples/tree/master/booking-mvc ISSUE OVERVIEW Analysing the framework, it was possible to identify the two conditions that are required for the generated web application to be vulnerable...
Read more