-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
One or more dependencies were identified with known vulnerabilities in Blossom sample webapp: spring-core-5.3.19.jar (pkg:maven/org.springframework/spring-core@5.3.19, cpe:2.3:a:pivotal_software:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.19:*:*:*:*:*:*:*) : CVE-2016-1000027
tl;dr;
- Spring won’t acknowledge and fix the issue, as they claim serialization in Java is intrinsically unsafe and can’t do anything about it.
- Magnolia Blossom doesn’t use the potentially vulnerable HttpInvoker API.
"Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data."
"Java serialization is intrinsically unsafe, there is nothing Spring could do here to fix it. If you don't use the HttpInvoker mechanism with Java serialization, then you are not affected. If you are using HttpInvoker and the API you built is accessible by a third party, add a serialization filter to whitelist the types you need to accept.
Removing HttpInvoker in 5.x would be a breaking change. If a security scanning tool brought you here and you are not affected, you should mark the CVE as a false positive."
https://github.com/spring-projects/spring-framework/issues/32300#issuecomment-1955908992
Magnolia Blossom doesn't use the potentially vulnerable HttpInvoker API.