[jira] [Created] (TIKA-2716) Sonatype Nexus auditor is reporting that spring framework vesrion used by Tika 1.18 is vulnerable

[Abhijit Rajwade (JIRA)]

Abhijit Rajwade created TIKA-2716:
-------------------------------------

             Summary: Sonatype Nexus auditor is reporting that spring framework 
vesrion used by Tika 1.18 is vulnerable
                 Key: TIKA-2716
                 URL: https://issues.apache.org/jira/browse/TIKA-2716
             Project: Tika
          Issue Type: Bug
          Components: core
    Affects Versions: 1.18
            Reporter: Abhijit Rajwade


Sonatype Nexus auditor is reporting that spring framework version used by 
Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non 
vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
 
Refer following details
 
Issue 
[CVE-2018-1270|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1270]
 
Source National Vulnerability Database
 
Severity
CVE CVSS 3.0: 9.8
CVE CVSS 2.0: 7.5
Sonatype CVSS 3.0: 9.8
 
Weakness
CVE CWE: [358|https://cwe.mitre.org/data/definitions/358.html]
 
Description from CVE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 
and older unsupported versions, allow applications to expose STOMP over 
WebSocket endpoints with a simple, in-memory STOMP broker through the 
spring-messaging module. A malicious user (or attacker) can craft a message to 
the broker that can lead to a remote code execution attack.
Explanation
The Spring Framework {{spring-messaging}} module is vulnerable to Remote Code 
Execution (RCE). The {{getMethods()}} method in the 
{{ReflectiveMethodResolver}} class, the {{canWrite}} method in the 
{{ReflectivePropertyAccessor}} class, and the {{filterSubscriptions()}} method 
in the {{DefaultSubscriptionRegistry}} class do not properly restrict SpEL 
expression evaluation. A remote attacker can exploit this vulnerability by 
crafting a request to an exposed STOMP endpoint and injecting a malicious 
payload into the {{selector}} header. The application would then execute the 
payload via a call to {{expression.getValue()}} whenever a new message is sent 
to the broker.
 
Detection
The application is vulnerable by using this component.
 
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to 
this specific issue.
Categories
Data
Root Cause
tika-app-1.18.jar *<=* ReflectivePropertyAccessor.class : [3.0.0.RELEASE , 
4.3.15.RELEASE)
tika-app-1.18.jar *<=* ReflectiveMethodResolver.class : [3.0.0.RELEASE , 
4.3.15.RELEASE)
 
Advisories
Attack: [http://www.polaris-lab.com/index.php/archives/501/]
Attack: 
[https://chybeta.github.io/2018/04/07/spring-messaging-Remote...|https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/]
Project: [https://jira.spring.io/browse/SPR-16588]
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)