CVE-2011-2894

Name of the Vulnerable Software and Affected Versions Spring Framework versions 3.0.0 through 3.0.5 Spring Security versions 2.0.0 through 2.0.6 Spring Security versions 3.0.0 through 3.0.5

Description The issue allows remote attackers to bypass intended security restrictions and execute untrusted code by deserializing objects from untrusted sources. This can be achieved by serializing a java.lang.Proxy instance and using InvocationHandler, or by accessing internal AOP interfaces. An example of exploitation is the deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

Recommendations For Spring Framework versions 3.0.0 through 3.0.5, consider disabling the deserialization of objects from untrusted sources until a patch is available. For Spring Security versions 2.0.0 through 2.0.6, restrict access to internal AOP interfaces to minimize the risk of exploitation. For Spring Security versions 3.0.0 through 3.0.5, avoid using the InvocationHandler to handle serialized java.lang.Proxy instances until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.