News: 1730212388

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Admins better Spring into action over latest critical open source vuln

(2024/10/29)


If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed.

Tracked as CVE-2024-38821, the vulnerability affects apps developed using Spring WebFlux only, and when exploited can lead to security rules being bypassed.

An application is only considered vulnerable to CVE-2024-38821, in this case, if WebFlux is used, if the app is using the framework's static resources support, and a non-permitAll authorization rule is applied to that support. All conditions must be met in order for an app to be considered vulnerable.

[1]

Spring is a widely used development framework, especially popular with Java apps, and has dominated the Java ecosystem for years. Snyk [2]research from 2020 found that 60 percent of Java apps relied on the framework, while [3]more recent findings from Incus Data showed that Spring Boot was relied upon by 58-72 percent of apps and Spring MVC was used by 29-41 percent.

[4]

[5]

According to Spring [6]itself , and the [7]National Vulnerability Database (NVD), the vulnerability carries a critical 9.1 CVSS rating, although this is disputed somewhat by vendors like Red Hat.

IBM's enterprise Linux subsidiary instead assessed the vulnerability's severity score to be much lower, more in the 7.4 region, indicating only a moderate risk of harm to affected organizations. The number of conditions that must all be met for an app to be exploitable was factored in here.

[8]

"This issue is classified as a moderate severity vulnerability because it impacts only specific configurations in Spring WebFlux applications and does not compromise dynamic or core application functionality," its [9]advisory reads.

"To exploit this vulnerability, the application must not only be using Spring WebFlux but must also serve static resources with non-permitAll authorization rules. Furthermore, the breach affects only static resources – such as [10]CSS , [11]JavaScript , or [12]images – that, while potentially sensitive, do not contain dynamic, user-specific data or functional endpoints that interact directly with business logic."

[13]Attackers exploit Spring4Shell flaw to let loose the Mirai botnet

[14]Aerospike targets Java Spring devs with support for the popular framework

[15]Patch now: RCE Spring4shell hits Java Spring framework

[16]Spring break! Critical vuln in Pivotal framework's Data parts plugged

Additionally, despite linking to the NVD's critical assessment, an [17]advisory issued by Italy's Computer Security Incident Response Team (CSIRT-ITA) included its own impact assessment, which was deemed to be "high," or 65.51 out of a possible 100.

Critical, moderate, and high. How nice it is to have a consensus on these things.

Apps using the following versions of Spring, and meeting the three conditions, are deemed vulnerable to CVE-2024-38821:

5.7.x – fixed version: 5.7.13

5.8.x – fixed version: 5.8.15

6.0.x – fixed version: 6.0.13

6.1.x – fixed version: 6.1.11

6.2.x – fixed version: 6.2.7

Older, unsupported versions are also affected

®

Get our [18]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZyEUt0x1tDYrMVKhYc5yDwAAARQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://snyk.io/blog/spring-dominates-the-java-ecosystem-with-60-using-it-for-their-main-applications/

[3] https://incusdata.com/blog/state-of-the-java-ecosystem

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyEUt0x1tDYrMVKhYc5yDwAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZyEUt0x1tDYrMVKhYc5yDwAAARQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://spring.io/security/cve-2024-38821

[7] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyEUt0x1tDYrMVKhYc5yDwAAARQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://access.redhat.com/security/cve/cve-2024-38821

[10] https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/

[11] https://www.theregister.com/2024/09/17/oracle_urged_to_surrender_javascript_trademark/

[12] https://www.theregister.com/2024/10/22/ghostpulse_malware_loader_png/

[13] https://www.theregister.com/2022/04/11/spring4shell-flaw-exploited-mirai-botnet/

[14] https://www.theregister.com/2023/03/22/aerospike_boosts_support_for_javas/

[15] https://www.theregister.com/2022/03/31/spring_vuln/

[16] https://www.theregister.com/2018/03/05/rest_vuln/

[17] https://www.csirt.gov.it/contenuti/aggiornamenti-per-vmware-spring-al01-241028-csirt-ita

[18] https://whitepapers.theregister.com/



The Worst Car Hire Service
When David Schwartz left university in 1972, he set up Rent-a-wreck
as a joke. Being a natural prankster, he acquired a fleet of beat-up
shabby, wreckages waiting for the scrap heap in California.
He put on a cap and looked forward to watching people's faces as he
conducted them round the choice of bumperless, dented junkmobiles.
To his lasting surprise there was an insatiable demand for them and
he now has 26 thriving branches all over America. "People like driving
round in the worst cars available," he said. Of course they do.
"If a driver damages the side of a car and is honest enough to
admit it, I tell him, `Forget it'. If they bring a car back late we
overlook it. If they've had a crash and it doesn't involve another vehicle
we might overlook that too."
"Where's the ashtray?" asked one Los Angeles wife, as she settled
into the ripped interior. "Honey," said her husband, "the whole car's the
ash tray."
-- Stephen Pile, "The Book of Heroic Failures"