Uploaded image for project: 'ServiceMix'
  1. ServiceMix
  2. SM-5083

Spring4shell vulnerability mitigation in [org.apache.servicemix.bundles.spring-beans] [5.3.5_1]

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Duplicate
    • 5.6.3
    • None
    • servicemix-bean
    • None

    Description

      Severity : Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0

      Weakness : Sonatype CWE: 470

      Source : Sonatype Data Research

      Explanation : The spring-beans package is vulnerable to Remote Code Execution [RCE]. The constructor method in the CachedIntrospectionResults class allows the loading of arbitrary classes. A remote attacker can exploit this vulnerability to upload a malicious class and ultimately result in RCE.
      This issue is due to an insufficient fix for CVE-2010-1622.
      :We are still investigating other avenues of attack but out of an abundance of caution, and media attention, are releasing this advisory now.

      Detection : The application is vulnerable by using this component, if using Java version 9 or above.

      Mitigation: Upgrade spring version to latest available.

      Attachments

        Issue Links

          is duplicated by

          Dependency upgrade - Upgrading a dependency to a newer version SM-5085 Create OSGi bundles for Spring 5.3.19

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              shuraut Shubhangi Raut
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: