Shubhangi Raut created SM-5083:
----------------------------------
Summary: Spring4shell vulnerability mitigation in
[org.apache.servicemix.bundles.spring-beans] [5.3.5_1]
Key: SM-5083
URL: https://issues.apache.org/jira/browse/SM-5083
Project: ServiceMix
Issue Type: Bug
Components: servicemix-bean
Affects Versions: 5.6.3
Reporter: Shubhangi Raut
*Severity :* Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0
*Weakness :* Sonatype CWE: 470
*Source :* Sonatype Data Research
*Explanation :* The spring-beans package is vulnerable to Remote Code Execution
[RCE]. The constructor method in the CachedIntrospectionResults class allows
the loading of arbitrary classes. A remote attacker can exploit this
vulnerability to upload a malicious class and ultimately result in RCE.
This issue is due to an insufficient fix for CVE-2010-1622.
:We are still investigating other avenues of attack but out of an abundance of
caution, and media attention, are releasing this advisory now.
*Detection :* The application is vulnerable by using this component, if using
Java version 9 or above.
Mitigation: Upgrade spring version to latest available.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
