CVE-2018-1270

Impact:
Critical
Public Date:
2018-04-05
CWE:
CWE-20
Bugzilla:
1564405: CVE-2018-1270 spring-framework: Possible RCE via spring messaging

The MITRE CVE dictionary describes this issue as:

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Find out more about CVE-2018-1270 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

No Red Hat products are directly affected by this flaw; the products that package some parts of the Spring Framework either do not ship the affected messaging component, or use an older version that is not affected.

Fuse 6.3 and Fuse Integration Services 2.0 are both not directly affected by the flaw, but both point to the affected versions in their respective Camel-Springboot Maven repository BOMs. Fixes for those repository links will be addressed in advisories via regular patch cycle; customers using Spring stomp messaging from these Maven repositories are advised to update to the new BOMs when available.

CVSS v3 metrics

CVSS3 Base Score 9.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Fuse 6.3 RHSA-2018:2939 2018-10-17

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhevm-dependencies Not affected
Red Hat OpenStack Platform 9.0 opendaylight Not affected
Red Hat OpenStack Platform 12.0 opendaylight Not affected
Red Hat OpenStack Platform 11.0 (Ocata) opendaylight Not affected
Red Hat OpenStack Platform 10 opendaylight Not affected
Red Hat Mobile Application Platform On-Premise 4 spring Not affected
Red Hat JBoss Web Server 3 tomcat Not affected
Red Hat JBoss Portal Platform 6 spring Not affected
Red Hat JBoss Fuse Service Works 6 spring Not affected
Red Hat JBoss Fuse 7 spring Not affected
Red Hat JBoss Enterprise SOA Platform 5 spring Not affected
Red Hat JBoss EWS 2 tomcat Not affected
Red Hat JBoss EAP 7 undertow Not affected
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 spring Not affected
Red Hat JBoss BRMS 5 spring Not affected
Red Hat JBoss A-MQ 6 spring Not affected
Red Hat Gluster Storage 3 rhevm-dependencies Not affected
Red Hat Enterprise Linux 8 springframework Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation