SerializableTypeWrapper.MethodInvokeTypeProvider can be exploited for unsafe deserialization [SPR-13656] #18232
Comments
|
Juergen Hoeller commented I do not see why Are you possibly concerned about the inner |
|
Juergen Hoeller commented I suppose you're referring to this one, which is indeed based on I've renamed this issue accordingly, making it specifc to the |
|
Juergen Hoeller commented It looks like we should guard the potential method names and/or target types handled by However, note that the only really safe measure is to not use object serialization at application entry points to begin with. In Spring land, this means that you shouldn't be using HTTP Invoker or RMI Invoker but rather REST endpoints with JSON payloads or the like. We are not accepting serialized input anywhere out of the box, so this is really a measure to be taken at the application level. |
|
Juergen Hoeller commented Fixed for 4.2.3 now, and to be backported to 4.1.9. We're lazily invoking the method in Juergen |
|
Yanming Zhou commented I really like HttpInvoker for SOA rather than REST with JSON. |
|
Gil Collins commented Does this issue exist in prior versions of the Spring Framework or is it strictly limited to 4.1.8 and 4.2.2 ? Thank you |
|
Juergen Hoeller commented The original form of As for our advice about not accepting Java serialization to begin with, note that this is about untrusted clients. HTTP Invoker within a trusted server system is not an issue; it's just about Java serialization based endpoints that can be accessed by anyone out there. Juergen |
|
Gil Collins commented One final question, should someone wanting to fix this issue take the snapshot or wait for the GA? |
|
Juergen Hoeller commented Feel free to use This hasn't been backported to 4.1.9 yet, so doesn't appear in the snapshots there yet. We'll do a comprehensive backporting effort for 4.1.9 later this week. Juergen |
|
Tim Farley commented Is there a CVE number assigned to this issue? That's important so consumers of Spring will be aware this issue was fixed and that they should patch to close any associated security holes. |
|
Mark commented 4.2.3 has been released and is available. But when will 4.1.9 be available? From CAMEL-9402
|
|
Juergen Hoeller commented This has been backported to 4.1.x a few weeks ago already and is therefore available in the FWIW, as far as we are aware, a common Spring 4.1.x based application can be smoothly upgraded to 4.2.x simply through a version change in your POM. This applies for Boot 1.2.x applications as well which are technically on Spring 4.1.x but also work with 4.2.x; and it should also apply in combination with the use of Camel 2.16. Are there any upgrade issues? Juergen |
|
Juergen Hoeller commented Actually, it would be of great help to us if you could test the latest Juergen |
|
Chris Feldhacker commented Is there a CVE number for this issue? Can one be created? |
|
Juergen Hoeller commented There's no CVE number that I'm aware of, since this hasn't been reported through the regular vulnerability channels. It rather just got published in an attention-seeking article. That aside, we strongly recommend against exposing serialization-based endpoints to untrusted clients. The real vulnerability are such endpoints in concrete applications: The misuse of specific classes on the classpath is a tool to break those endpoints, and Spring's Once again, only applications with public endpoints that accept Java serialization from untrusted clients are affected. Any such severity rating would only apply under that condition. Juergen |
|
Juergen Hoeller commented FYI, an article that essentially takes our perspective as well: http://www.javaworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html |
|
Stephen J. Muir commented Can someone elaborate on how this has been fixed please. For example, when the endpoint receives a serialized object, how does it know if it's got any classes in it which shouldn't be there. |
|
Juergen Hoeller commented FWIW, from our perspective (and not just ours), the only proper fix is to not expose such endpoints to untrusted clients to begin with. Any other data representation - XML, JSON, custom data formats - is a way better choice for untrusted clients. Blacklisting of classes for serialization endpoints is never going to be a complete solution, and whitelisting is going to be a lot of pain to maintain. Other data formats provide a way better tradeoff overall and are very worth a refactoring. If you have to keep using serialization on your system boundary, make sure that those endpoints are only accessible to trusted clients and that interaction with them is properly logged (and therefore traceable after misuse). As for this particular issue here, it's solely about tightening our Juergen |
|
Nebula commented hi, I just said that the actual use of this vulnerability, control a redis server is very easy, spring-data-redis able to remote code execution. no loopholes announcement developers will not know the existence of this problem. |
|
Juergen Hoeller commented Nebula, fair enough. We released several notes to the effect of not exposing serialization-based endpoints to untrusted clients, and this seems to be a variant thereof. It's certainly worth making the Spring Data Redis team aware of the value serialization risk; however, I don't see a pending fix there other than recommending an upgrade to Spring 4.1.9+ and not configuring value serialization in such scenarios. Juergen |
spring-projects-issues
added
type: bug
Yanming Zhou opened SPR-13656* and commented
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://github.com/frohoff/ysoserial
Affects: 4.1.8, 4.2.2
Issue Links:
Backported to: 4.1.9
0 votes, 16 watchers
The text was updated successfully, but these errors were encountered: