On September 21, 2017, Java Spring Framework was reported to have a high-severity vulnerability, CVE-2017-8046. Hackers can exploit this vulnerability to remotely run commands. Therefore, services using Spring Framework have high security risks.
See the following for more information about the vulnerability.
Remote code execution vulnerability in Java Spring Data REST
By using a specially crafted JSON packet, an attacker can submit a malicious PATCH request to the spring-data-rest server to run arbitrary Java code.
Condition and method of exploitation
Websites use REST web services provided by Spring Data REST, and the Spring Framework version is one of the affected versions.
- Versions earlier than Spring Data REST 2.5.12, 2.6.7, and 3.0 RC3
- Versions earlier than Spring Boot 2.0.0M4
- Versions earlier than Spring Data release trains Kay-RC3
Check whether any affected version of Spring Framework is used.
How to fix or mitigate
Upgrade to the following versions:
- Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot 2.0.0.M4
- Spring Data release train Kay-RC3