CVE-2018-1275
Remote Code Execution (RCE) vulnerability in spring-messaging (Maven)
What is CVE-2018-1275 About?
Spring Framework versions 5.0 prior to 5.0.5, 4.3 prior to 4.3.16, and older unsupported versions are vulnerable to Remote Code Execution. This occurs when applications expose STOMP over WebSocket endpoints with an in-memory STOMP broker. A malicious user can craft a message to trigger arbitrary code execution. This is a severe vulnerability that can be exploited with moderate complexity.
Affected Software
- org.springframework:spring-messaging
- >5.0.0.RELEASE, <5.0.5.RELEASE
- <4.3.16.RELEASE
Technical Details
This vulnerability affects the spring-messaging module of the Spring Framework, specifically impacting applications that expose STOMP over WebSocket endpoints using a simple in-memory STOMP broker. The flaw allows a malicious user to craft a specific message that, when processed by the broker, can lead to remote code execution. This is a partial fix for CVE-2018-1270. The underlying mechanism likely involves improper handling or deserialization of message payloads or headers, allowing an attacker to inject and execute arbitrary commands or code within the server's context. The crafted message exploits vulnerabilities in the message processing logic of the STOMP broker, bypassing intended security boundaries.
What is the Impact of CVE-2018-1275?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control of the compromised system, exfiltrate sensitive data, or establish persistent backdoors.
What is the Exploitability of CVE-2018-1275?
Exploitation would involve an attacker crafting and sending a malicious STOMP message to the vulnerable WebSocket endpoint. The complexity is moderate, requiring knowledge of STOMP protocol and how to craft specific payloads that trigger the RCE. Authentication to the WebSocket endpoint may or may not be required, depending on the application's specific security configuration for STOMP. No elevated privileges are needed once the malicious message is delivered. This is a remote vulnerability, accessible if the WebSocket endpoint is exposed. The primary prerequisite is an application using affected Spring Framework versions and maintaining STOMP over WebSocket endpoints with an in-memory broker. The risk increases if the endpoint serves untrusted clients.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1275?
Available Upgrade Options
- org.springframework:spring-messaging
- <4.3.16.RELEASE → Upgrade to 4.3.16.RELEASE
- org.springframework:spring-messaging
- >5.0.0.RELEASE, <5.0.5.RELEASE → Upgrade to 5.0.5.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://web.archive.org/web/20190901081835/http://www.securitytracker.com/id/1041301
- http://www.securitytracker.com/id/1041301
- https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1275
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E
What are Similar Vulnerabilities to CVE-2018-1275?
Similar Vulnerabilities: CVE-2018-1270 , CVE-2022-22965 , CVE-2022-22963 , CVE-2020-5398 , CVE-2016-5007
