=====================================================================

                                CERT-Renater

                      Note d'Information No. 2023/VULN424

_____________________________________________________________________

DATE                : 20/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring AMQP versions prior to
                              2.4.17, 3.0.12, 3.1.5, 3.2.0.

=====================================================================
https://spring.io/security/cve-2023-34050/
_____________________________________________________________________

CVE-2023-34050 Spring AMQP Deserialization Vulnerability
MEDIUM | OCTOBER 18, 2023 | CVE-2023-34050


Description

In 2016, allowed list patterns for deserializable class names were
added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no
allowed list was provided, all classes could be deserialized.

Specifically, and application is vulnerable if

     the SimpleMessageConverter or SerializerMessageConverter is used
     the user does not configure allowed list patterns
     untrusted message originators gain permissions to write messages
to the RabbitMQ broker to send malicious content


Affected Spring Products and Versions

     Spring AMQP
         1.0.0 to 2.4.16
         3.0.0 to 3.0.9


Mitigation

     Do not allow untrusted sources to access the RabbitMQ server
     Users with versions less that 2.4.17 should upgrade to 2.4.17
     Users using versions 3.0.0 to 3.0.9 should upgrade to 3.0.10


Spring Boot dependency management will pull in the corrected versions,
starting with Boot versions 2.7.17, 3.0.12, 3.1.5, and 3.2.0.


Allowed class name patterns are now required.

However, users who wish to revert to the previous behavior of trusting
all, can set a global environment property or system property; refer to
the Java Deserialization documentation section


Credit

This vulnerability was responsibly reported by L0ne1y.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================