edit-icon download-icon

[Vulnerability notice] CVE-2017-8046: Remote code execution vulnerability in Java Spring Data REST

Last Updated: Apr 08, 2018

On September 21, 2017, Java Spring Framework was reported to have a high-severity vulnerability, CVE-2017-8046. Hackers can exploit this vulnerability to remotely run commands. Therefore, services using Spring Framework have high security risks.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-8046

Vulnerability name

Remote code execution vulnerability in Java Spring Data REST

Vulnerability rating

High

Vulnerability description

By using a specially crafted JSON packet, an attacker can submit a malicious PATCH request to the spring-data-rest server to run arbitrary Java code.

Condition and method of exploitation

Websites use REST web services provided by Spring Data REST, and the Spring Framework version is one of the affected versions.

Affected scope

  • Versions earlier than Spring Data REST 2.5.12, 2.6.7, and 3.0 RC3
  • Versions earlier than Spring Boot 2.0.0M4
  • Versions earlier than Spring Data release trains Kay-RC3

Vulnerability detection

Check whether any affected version of Spring Framework is used.

How to fix or mitigate

Upgrade to the following versions:

  • Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
  • Spring Boot 2.0.0.M4
  • Spring Data release train Kay-RC3

Reference

[1]. https://pivotal.io/security/cve-2017-8046
[2]. https://github.com/spring-projects/spring-data-rest/commit/8f269e28fe8038a6c60f31a1c36cfda04795ab45
[3]. http://projects.spring.io/spring-data-rest/

Thank you! We've received your feedback.