Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1395 libspring-java security update 26 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libspring-java Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-15756 CVE-2018-11040 CVE-2018-11039 CVE-2018-1270 Reference: ESB-2020.2537 ESB-2020.1400 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2635-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ April 23, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : libspring-java Version : 4.3.5-1+deb9u1 CVE ID : CVE-2018-1270 CVE-2018-11039 CVE-2018-11040 CVE-2018-15756 Debian Bug : 895114 911786 Multiple vulnerabilities were discovered in libspring-java, a modular Java/J2EE application framework. An attacker may execute code, perform XST attack, issue unauthorized cross-domain requests or cause a DoS (Denial-of-Service) in specific configurations. CVE-2018-1270 Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. CVE-2018-11039 Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. CVE-2018-11040 Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. CVE-2018-15756 Spring Framework provides support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. For Debian 9 stretch, these problems have been fixed in version 4.3.5-1+deb9u1. We recommend that you upgrade your libspring-java packages. For the detailed security status of libspring-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libspring-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCDEAAACgkQDTl9HeUl XjAqJw//Uln8F+rc+JvRzZyNEN03+jPh2hmL2rK3xSEp4jPdoTSSPB6nzgDE0gXU FP7LIvOva6i4bmxKK/ixJsgB/ZtqFIxpFbWb6VMV5GC/xCpjhdKxTOI96Se/Ydal /IBit5qQmXxy5HoSJl6rsfQUQQBu6mAo9LOeSyWsECENkW7OtOQRWEz+isHRRyeg U88+PYs3tqO4J3FtE/vzS5UjRIygaesz5V8szA1jam/cx3KhTatIDE52Ist1huK7 IaCJ6pkFmjc0eJ0ALmQp37A3pzPm9Lq01V/IKwxYijqC8I0DgPiHds5rHCQiOcJo tPYHPtnp9/IiMaQZw8gSYgvmTyMHwpYk+x2QWdMGaT2HILAd44zn1I86qhOIXts8 ofHJCZVyawHNMrsYxoTJ/HrJ/3ECamI9tmLyRpUmiLcTUmgV+tUxM4FmhLKobuqb 8vctLZL/qmAm+JR5PDptjc3UR0zTqGgjshy94V982ANJCQFe0lMASj5DH9IW3473 dCqyduvrlykfI/0Nl4NkXTEKZeizyIKtw1JOYFr6bjP0UCvM3jTSWwiXquFh9v3O A6FddCEMoLPEmyPYyYZUe4X5q4Gjsd1AXhhnEVIppXrS6akiCfaw8ZyAvt2MJIiW 51g8FtAypeQloIV91lPbyf+RIZ27n61r1AcDXPZrewTlIuZdNv4= =bEmi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIZZuuNLKJtyKPYoAQgBRhAAh/iS1yp1oG9umpdE1joZ4z5Yeytzn5FH t7blELh9RJUO/NaQohoA+0aj1NLQ8Q6GTeUnO5BlhZuD2X6tt+yNst4CDh3ZORm/ bCdT4uJO8jDxjQSDq/iVVfs5+3XiDSnoqk6GUWH6X2/s/9MEgDu26PVBVqR4YqmL 230P1ZOXncuWUsNz0MWcBVGsJ8ByLqAtKK5kbj/kBmJ5lPNv2iUNTmdgWOW5BIa6 aram7AwcoAuVRX4RhXf4uhDneCld+7G27KFpZuRs4lu9QQLOwB235DurNI6bBkgL LsycfaZxw7FIRifTSZr+nVS40JYHgNHYUgF6/QNX2Nx4rxdmhFtSh7RkzwpQZfYg hu086eat9yZiJk+ZZ07ip1p0iUJAeH2ErVgPXmqj3A6RdM1UmMlQuj5piyjtspIY pFwFUwNZAvGMyfipgY5ZQR1MYGfkY5hrjhKdy+mkbtWC8bTxFvvSvMstuG9wn48F h+eSMw+kx8zsRFbH3rAknAPaIl7YN5h3IS8uUNKLiTc5rcJUe34MS6/CyWqeUWIR /afTq+VBlyGOJJYt+m+RiLeZX2/58qy3XeVCw2F5kByZCXUs2c+84kn63r5bofs9 j60wS6Dbu9qSM6pqxjUrZSFC669ljwMSW5G8OQF5k1XGAXTV9hsnTKlsRYo66B57 X/BAWJjRwqw= =yhJo -----END PGP SIGNATURE-----