Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1395
libspring-java security update
26 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libspring-java
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-15756 CVE-2018-11040 CVE-2018-11039
CVE-2018-1270
Reference: ESB-2020.2537
ESB-2020.1400
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2635-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/
April 23, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : libspring-java
Version : 4.3.5-1+deb9u1
CVE ID : CVE-2018-1270 CVE-2018-11039 CVE-2018-11040 CVE-2018-15756
Debian Bug : 895114 911786
Multiple vulnerabilities were discovered in libspring-java, a modular
Java/J2EE application framework. An attacker may execute code, perform
XST attack, issue unauthorized cross-domain requests or cause a DoS
(Denial-of-Service) in specific configurations.
CVE-2018-1270
Spring Framework allows applications to expose STOMP over
WebSocket endpoints with a simple, in-memory STOMP broker through
the spring-messaging module. A malicious user (or attacker) can
craft a message to the broker that can lead to a remote code
execution attack.
CVE-2018-11039
Spring Framework allows web applications to change the HTTP
request method to any HTTP method (including TRACE) using the
HiddenHttpMethodFilter in Spring MVC. If an application has a
pre-existing XSS vulnerability, a malicious user (or attacker) can
use this filter to escalate to an XST (Cross Site Tracing) attack.
CVE-2018-11040
Spring Framework allows web applications to enable cross-domain
requests via JSONP (JSON with Padding) through
AbstractJsonpResponseBodyAdvice for REST controllers and
MappingJackson2JsonView for browser requests. Both are not enabled
by default in Spring Framework nor Spring Boot, however, when
MappingJackson2JsonView is configured in an application, JSONP
support is automatically ready to use through the "jsonp" and
"callback" JSONP parameters, enabling cross-domain requests.
CVE-2018-15756
Spring Framework provides support for range requests when serving
static resources through the ResourceHttpRequestHandler, or
starting in 5.0 when an annotated controller returns an
org.springframework.core.io.Resource. A malicious user (or
attacker) can add a range header with a high number of ranges, or
with wide ranges that overlap, or both, for a denial of service
attack.
For Debian 9 stretch, these problems have been fixed in version
4.3.5-1+deb9u1.
We recommend that you upgrade your libspring-java packages.
For the detailed security status of libspring-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libspring-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCDEAAACgkQDTl9HeUl
XjAqJw//Uln8F+rc+JvRzZyNEN03+jPh2hmL2rK3xSEp4jPdoTSSPB6nzgDE0gXU
FP7LIvOva6i4bmxKK/ixJsgB/ZtqFIxpFbWb6VMV5GC/xCpjhdKxTOI96Se/Ydal
/IBit5qQmXxy5HoSJl6rsfQUQQBu6mAo9LOeSyWsECENkW7OtOQRWEz+isHRRyeg
U88+PYs3tqO4J3FtE/vzS5UjRIygaesz5V8szA1jam/cx3KhTatIDE52Ist1huK7
IaCJ6pkFmjc0eJ0ALmQp37A3pzPm9Lq01V/IKwxYijqC8I0DgPiHds5rHCQiOcJo
tPYHPtnp9/IiMaQZw8gSYgvmTyMHwpYk+x2QWdMGaT2HILAd44zn1I86qhOIXts8
ofHJCZVyawHNMrsYxoTJ/HrJ/3ECamI9tmLyRpUmiLcTUmgV+tUxM4FmhLKobuqb
8vctLZL/qmAm+JR5PDptjc3UR0zTqGgjshy94V982ANJCQFe0lMASj5DH9IW3473
dCqyduvrlykfI/0Nl4NkXTEKZeizyIKtw1JOYFr6bjP0UCvM3jTSWwiXquFh9v3O
A6FddCEMoLPEmyPYyYZUe4X5q4Gjsd1AXhhnEVIppXrS6akiCfaw8ZyAvt2MJIiW
51g8FtAypeQloIV91lPbyf+RIZ27n61r1AcDXPZrewTlIuZdNv4=
=bEmi
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIZZuuNLKJtyKPYoAQgBRhAAh/iS1yp1oG9umpdE1joZ4z5Yeytzn5FH
t7blELh9RJUO/NaQohoA+0aj1NLQ8Q6GTeUnO5BlhZuD2X6tt+yNst4CDh3ZORm/
bCdT4uJO8jDxjQSDq/iVVfs5+3XiDSnoqk6GUWH6X2/s/9MEgDu26PVBVqR4YqmL
230P1ZOXncuWUsNz0MWcBVGsJ8ByLqAtKK5kbj/kBmJ5lPNv2iUNTmdgWOW5BIa6
aram7AwcoAuVRX4RhXf4uhDneCld+7G27KFpZuRs4lu9QQLOwB235DurNI6bBkgL
LsycfaZxw7FIRifTSZr+nVS40JYHgNHYUgF6/QNX2Nx4rxdmhFtSh7RkzwpQZfYg
hu086eat9yZiJk+ZZ07ip1p0iUJAeH2ErVgPXmqj3A6RdM1UmMlQuj5piyjtspIY
pFwFUwNZAvGMyfipgY5ZQR1MYGfkY5hrjhKdy+mkbtWC8bTxFvvSvMstuG9wn48F
h+eSMw+kx8zsRFbH3rAknAPaIl7YN5h3IS8uUNKLiTc5rcJUe34MS6/CyWqeUWIR
/afTq+VBlyGOJJYt+m+RiLeZX2/58qy3XeVCw2F5kByZCXUs2c+84kn63r5bofs9
j60wS6Dbu9qSM6pqxjUrZSFC669ljwMSW5G8OQF5k1XGAXTV9hsnTKlsRYo66B57
X/BAWJjRwqw=
=yhJo
-----END PGP SIGNATURE-----