Spring Data REST Vulnerability

A vulnerability in Pivotal's Spring Data Java Web App development framework may allow an authenticated remote attacker to execute arbitrary code on a targeted device.

Threat ID:: CC-2136
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 15 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability in Pivotal's Spring Data Java Web App development framework may allow an authenticated remote attacker to execute arbitrary code on a targeted device.

Threat details

The Spring Data representative state transfer (REST) project is used by Java developers to link common additional features to their applications. It is amongst the most popular Java development frameworks, with most modern Java web applications using some REST interfaces.

An error in Spring's coding language, SpEL, used within Data REST can allow specially crafted PATCH requests to be submitted to a targeted server using HTTP resources. These requests can contain JavaScript Object Notation (JSON) data, which an attacker can use to cause the server to execute any code the attacker wishes.

For further information:

Remediation advice

Pivotal have issued a patch for the issue as part of their Spring Boot 2.0 update. Users and administrators are encouraged to review and install this patch immediately. The following product updates are confirmed to not be vulnerable:

Remediation steps

Type	Step
	Pivotal Spring Data REST - Versions 2.5.12, 2.6.7 and 3.0 RC3 Pivotal Spring Boot - Version 2.0.0.M4 Pivotal Spring Data - Release train Kay-RC3

CVE Vulnerabilities

Status

CVE-2017-8046

Status

CVE-2018-8046

Last edited: 17 February 2020 12:55 pm