CVE-2016-1000027

Name of the Vulnerable Software and Affected Versions Pivotal Spring Framework versions prior to 6.0.0 Pivotal Spring Framework versions 4.2.6 and 3.2.17 Pivotal Spring Framework versions 5.3.0 through 5.3.16

Description The issue is related to the implementation of the readRemoteInvocation method in the HttpInvokerServiceExporter class, which is part of the Spring Framework. It is connected to weaknesses in the deserialization mechanism. An attacker can exploit this issue by sending specially crafted requests, potentially allowing them to execute arbitrary code. The vendor notes that deserialization of untrusted data is not an intended use case, and the product's behavior will not be changed because some users rely on deserialization of trusted data. Depending on how the library is implemented within a product, this issue may or may not occur, and authentication may be required.

Recommendations For Pivotal Spring Framework versions prior to 6.0.0, consider upgrading to version 6.0.0 or later, which removes the impacted classes. For Pivotal Spring Framework versions 4.2.6 and 3.2.17, investigate alternative components or potential mitigating controls, and take precautions against unsafe Java deserialization as advised in the enhanced documentation. For Pivotal Spring Framework versions 5.3.0 through 5.3.16, consider upgrading to version 6.0.0 or later, and be aware that the impacted classes are deprecated in version 5.3.0. As a temporary workaround, consider restricting the use of the HttpInvokerServiceExporter class and taking precautions against unsafe Java deserialization until a patch is available.