CVE-2015-5211 RFD Attack in Spring Framework


Severity

Important

Vendor

Spring by Pivotal

Versions Affected
  • Spring Framework 3.2.0 to 3.2.14
  • Spring Framework 4.0.0 to 4.1.7
  • Spring Framework 4.2.0 to 4.2.1
  • Other unsupported versions are also affected
Description

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

For details and concrete examples see the very helpful RFD paper from Trustwave.

Mitigation

Users of affected Spring Framework versions should upgrade as follows:

  • For 3.2.x upgrade to 3.2.15+.
  • For 4.0.x and 4.1.x upgrade to 4.1.8+.
  • For 4.2.x upgrade to 4.2.2+.

In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.

Additional Notes

Simply upgrading to the above mentioned versions will protect applications against RFD attacks. Some further steps can be also be taken:

  • Encode rather than escape JSON responses. This is also an OWASP XSS recommendation. For an example of how to do that with Spring see https://github.com/rwinch/spring-jackson-owasp.
  • Configure suffix pattern matching to be turned off or restricted to explicitly registered suffixes only.
  • Configure content negotiation with the properties “useJaf” and “ignoreUknownPathExtension” set to false which would result in a 406 response for URLs with unknown extensions. Note however that this may not be an option if URLs are naturally expected to have a dot towards the end.
  • Add 'X-Content-Type-Options: nosniff' header to responses. Spring Security 4 does this by default.
Credit

RFD attacks were described by Trustwave in a paper. The issue in the Spring Framework was responsibly reported to Pivotal by Alvaro Muñoz from HPE Security Research. Special thanks to Toshiaki Maki and Tomoyuki Ikeya from NTT DATA Corporation for helping to verify the solution and identifying additional ways to exploit the vulnerability.

References
History

2015-Oct-15: Initial vulnerability report published.