exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Spring Framework / Spring Security Serialization-Based Issues

Spring Framework / Spring Security Serialization-Based Issues
Posted Sep 9, 2011
Authored by Wouter Coekaerts, SpringSource Security Team

Spring Framework versions 3.0.0 to 3.0.5 and Spring Security versions 2.0.0 to 2.0.6 and 3.0.0 to 3.0.5 suffer from serialization issues. Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behavior into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.

tags | advisory, remote
advisories | CVE-2011-2894
SHA-256 | f905e5bf5433c31b6e389d1aca05670a117b1f5976e8502215745fe22fe34fc4

Spring Framework / Spring Security Serialization-Based Issues

Change Mirror Download
CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

Severity: Critical

Versions Affected:

Spring Framework:
3.0.0 to 3.0.5

Spring Security:
2.0.0 to 2.0.6
3.0.0 to 3.0.5

Earlier versions may also be affected

Description:

Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behaviour into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.


Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.


Mitigation:

Applications which use serialization-based remoting are likely to be vulnerable. In the long-term, we would recommend users migrate away from serialization-based remoting in cases where the client cannot be trusted, as it is a potential source of vulnerabilities in both Spring and non-Spring applications.

All users may mitigate this issue by upgrading to Spring Framework 3.0.6 and Spring Security 3.0.6. Spring Framework users should make use of the additional features introduced to prevent deserialization of malicious proxies. These are described below.

Users of Spring Security 2.0.x may upgrade to 2.0.7


Fix:

RemoteInvocationSerializingExporter (the base class for HttpInvokerServiceExporter) now has an "acceptProxyClasses" flag which should be set to false if using Spring remoting. This will prevent any deserialization of proxies through Spring remoting, thus providing additional protection against future attacks of this kind which may use other serializable classes.

DefaultListableBeanFactory instances can no longer be deserialized other than through a SerializedBeanFactoryReference, which resolves to an existing bean factory instance on the server side. In addition, the serialization ID can be customized, to prevent a client from guessing it, by setting a value for "contextId" in the web.xml file as a context-param and as an init-param for instances of FrameworkServlet (such as Spring's DispatcherServlet).

RemoteExporter now uses an "opaque" proxy to limit exported methods to those of the service interface. This prevent access to interfaces such as org.springframework.aop.framework.Advised.

Spring Security remoting has been changed to prevent the submission of an Authentication instance by a remote client. It now only supports username/password authentication. This removes any possibility of an untrusted Authentication object being created on the server and prevents any of the associated attack vectors.

Credit:

The issue was discovered by Wouter Coekaerts (http://wouter.coekaerts.be/).

History:
2011-09-09: Original advisory

References:
[1] http://www.springsource.com/security/cve-2011-2731
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close