Description
Sonatype Nexus auditor is reporting that spring framework version used by Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later
Refer following details
Issue CVE-2018-1270
Source National Vulnerability Database
Severity
CVE CVSS 3.0: 9.8
CVE CVSS 2.0: 7.5
Sonatype CVSS 3.0: 9.8
Weakness
CVE CWE: 358
Description from CVE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
Explanation
The Spring Framework spring-messaging module is vulnerable to Remote Code Execution (RCE). The getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class do not properly restrict SpEL expression evaluation. A remote attacker can exploit this vulnerability by crafting a request to an exposed STOMP endpoint and injecting a malicious payload into the selector header. The application would then execute the payload via a call to expression.getValue() whenever a new message is sent to the broker.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Categories
Data
Root Cause
tika-app-1.18.jar <= ReflectivePropertyAccessor.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
tika-app-1.18.jar <= ReflectiveMethodResolver.class : [3.0.0.RELEASE , 4.3.15.RELEASE)
Advisories
Attack: http://www.polaris-lab.com/index.php/archives/501/
Attack: https://chybeta.github.io/2018/04/07/spring-messaging-Remote...
Project: https://jira.spring.io/browse/SPR-16588
Attachments
Issue Links
- is superceded by
-
TIKA-2721 Exclude Spring (transitive dependency) from tika-parsers
- Closed