Spring AMQP Remote Code Execution Vulnerability Fixed by 1.6 M2 and 1.5.5


Description   (:A vulnerability was reported in Spring AMQP.:A remote attacker could exploit it via a specially crafted serialized object (like Chris Frohoff's Commons Collection) in order to execute arbitrary code.::This vulnerability stems from an lack of validation by the "org.springframework.core.serializer.DefaultDeserializer" class for the deserialized object against a whitelist.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 22, 23
     
Solution   Fixed springframework-amqp packages for Fedora 22 are available.
     
CVE   CVE-2016-2173
     
References   - Spring : Add Class/Package White List to Deserializing Message Converters.
https://jira.spring.io/browse/AMQP-590
- Pivotal.io : CVE-2016-2173 Remote Code Execution in Spring AMQP
http://pivotal.io/security/cve-2016-2173
- FEDORA : Fedora 23 Update: springframework-amqp-1.3.9-4.fc23
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.html
- FEDORA : Fedora 22 Update: springframework-amqp-1.3.9-4.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
RCE attempt using Java serialized class known to be vulnerable to unsafe deserialization
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-04-11 

 Target Type 
Server 

 Possible exploit 
Remote