==================================================================== CERT-Renater Note d'Information No. 2020/VULN430 _____________________________________________________________________ DATE : 24/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Integration framework versions prior to 4.3.23, 5.1.12, 5.2.8, 5.3.2. ===================================================================== https://spring.io/blog/2020/07/22/spring-integration-4-3-23-5-1-12-5-2-8-5-3-2-available-cve-2020-5413 https://tanzu.vmware.com/security/cve-2020-5413 _____________________________________________________________________ Spring Integration 4.3.23, 5.1.12, 5.2.8 & 5.3.2 available; CVE-2020-5413 Releases Artem Bilan July 22, 2020 Dear Spring community, On behalf of the team and everyone who contributed, it is my pleasure to announce a number of maintenance releases for Spring Integration. Mostly these versions contain bug fixes and dependency upgrades. CVE-2020-5413 The Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when the incoming data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration calls kryo.setRegistrationRequired(true); (trust no one) by default and pre-configures out-of-the-box Message implementations as trusted classes. All other types have to be registered with Kryo using any available KryoRegistrar strategy injected into a PojoCodec. Credit: ChengGao, ZeZhiLin, Alibaba Cloud Intelligence Security Team https://www.aliyun.com/. All the mentioned Spring Integration versions include the fix for this CVE; everybody who’s using Kryo support in Spring Integration is encouraged to upgrade respectively. Cheers, Artem _______________________________________________________________________ CVE-2020-5413: Kryo Configuration Allows Code Execution with Unknown “Serialization Gadgets” Severity Low Vendor Spring by VMware Description Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown “deserialization gadgets” when configuring Kryo in code. Affected Pivotal Products and Versions Severity is low unless otherwise noted. Spring Integration 4.3.0 to 4.3.22 5.1.0 to 5.1.11 5.2.0 to 5.2.7 5.3.0 to 5.3.1 Mitigation Users of an affected version should upgrade to these releases with the fixed issue: Spring Integration 4.3.23 5.1.12 5.2.8 5.3.2 Credit ChengGao, ZeZhiLin, Alibaba Cloud Intelligence Security Team https://www.aliyun.com/ References https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data History 2020-07-19: Initial vulnerability report published. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================