CVE-2016-2173 Remote Code Execution in Spring AMQP


Severity

Critical

Vendor

Spring by Pivotal

Versions Affected
  • 1.0.0 to 1.5.4
Description

The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.

Mitigation

Users of affected versions should apply the following mitigation:

  • The cited class (DefaultDeserializer) is not registered by any Spring application context automatically; users should take care when using this class with objects from untrusted sources in the same way they should when using ObjectInputStream directly.
  • Spring AMQP has an (optional) message converter that can use this deserializer; starting with version 1.5.5, that converter can now be configured with a whitelist of acceptable packages/classes that can be deserialized.
  • Spring AMQP also has a SimpleMessageConverter which *is* configured by default; it doesn't use the deserializer, but does use ObjectInputStream internally; it, too, can now be configured with a whitelist of packages/classes.
  • It is recommended that users do not use Java serialization when using RabbitMQ in an environment where untrusted data might be received; if they do, they should configure the converter with the allowable objects.
  • Users that might be exposed to this vulnerability should upgrade to Spring AMQP 1.5.5 or higher and configure the whitelist.
Credit

Vulnerability discovery by Matthias Kaiser of Code White (www.code-white.com)

References
History

2016-Apr-11: Initial vulnerability report published.