CVE-2018-1270
Remote Code Execution vulnerability in spring-messaging (Maven)
What is CVE-2018-1270 About?
This vulnerability in Spring Framework's STOMP over WebSocket endpoints, when using a simple in-memory broker, allows a malicious user to craft a message leading to Remote Code Execution. By exploiting this flaw, attackers can execute arbitrary code on the server. Exploitation requires sending a specially crafted message and can be moderately complex.
Affected Software
- org.springframework:spring-messaging
- >5.0.0.RELEASE, <5.0.5.RELEASE
- <4.3.16.RELEASE
Technical Details
The vulnerability exists in Spring Framework applications that expose STOMP over WebSocket endpoints utilizing a simple, in-memory STOMP broker within the spring-messaging module. The core issue lies in how the broker processes or interprets certain messages or headers transmitted over the STOMP protocol. A malicious user can craft a STOMP message containing specific payloads or headers that, when deserialized or processed by the server, trigger a gadget chain or an insecure method invocation. For instance, this could involve injecting a Spring Expression Language (SpEL) expression into a message header that is later evaluated, enabling arbitrary code execution on the server. The lack of proper sanitization or secure handling of user-supplied data in critical processing paths leads to the RCE.
What is the Impact of CVE-2018-1270?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data exfiltration, or denial-of-service conditions.
What is the Exploitability of CVE-2018-1270?
Exploitation of this vulnerability requires the attacker to have network access to a STOMP over WebSocket endpoint in a Spring Framework application that uses a simple, in-memory broker. The attack is remote and typically requires no authentication to send the initial malicious message to the endpoint, assuming it's publicly accessible. No elevated privileges are needed on the system for the attacker, beyond external network connectivity. The complexity involves crafting a specific STOMP message payload (e.g., incorporating SpEL expressions) that can trigger the remote code execution. The presence of inadequately secured STOMP endpoints and vulnerable versions of Spring Framework are key risk factors increasing the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| CaledoniaProject | Link | Spring messaging STOMP protocol RCE |
| genxor | Link | PoC for CVE-2018-1270 |
| tafamace | Link | PoC for CVE-2018-1270 |
What are the Available Fixes for CVE-2018-1270?
Available Upgrade Options
- org.springframework:spring-messaging
- <4.3.16.RELEASE → Upgrade to 4.3.16.RELEASE
- org.springframework:spring-messaging
- >5.0.0.RELEASE, <5.0.5.RELEASE → Upgrade to 5.0.5.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.exploit-db.com/exploits/44796
- https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a
- https://www.exploit-db.com/exploits/44796/
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
- https://osv.dev/vulnerability/GHSA-p5hg-3xm3-gcjg
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
What are Similar Vulnerabilities to CVE-2018-1270?
Similar Vulnerabilities: CVE-2016-4977 , CVE-2017-8046 , CVE-2017-4995 , CVE-2018-1257 , CVE-2022-22965
