CVE-2018-15756
Denial of Service vulnerability in spring-core (Maven)
What is CVE-2018-15756 About?
This is a Denial of Service vulnerability in Spring Framework applications that support range requests for static resources. Attackers can exploit it by sending specially crafted range headers, leading to resource exhaustion. The vulnerability is relatively easy to exploit if the application serves static resources or uses annotated controllers returning resources.
Affected Software
- org.springframework:spring-core
- >5.1.0.RELEASE, <5.1.1.RELEASE
- >4.2.0.RELEASE, <4.3.20.RELEASE
- >5.0.0.RELEASE, <5.0.10.RELEASE
Technical Details
The vulnerability affects Spring Framework versions 5.1, 5.0.x prior to 5.0.10, 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch. It arises from the framework's support for range requests when serving static resources via ResourceHttpRequestHandler or when an annotated controller returns an org.springframework.core.io.Resource. A malicious user can craft HTTP requests containing a Range header with an exceptionally large number of ranges, or with wide, overlapping ranges. This forces the server to perform extensive and resource-intensive processing (e.g., memory allocation, file I/O operations) to fulfill these complex range requests, leading to resource exhaustion and a Denial of Service condition. Spring Boot applications using spring-boot-starter-web or spring-boot-starter-webflux are particularly susceptible as they serve static resources by default.
What is the Impact of CVE-2018-15756?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, causing it to become unresponsive or crash.
What is the Exploitability of CVE-2018-15756?
Exploitation of this Denial of Service vulnerability is of low to moderate complexity. It can be achieved remotely with no authentication required, as it targets how static resources are served. The primary prerequisite is that the target application uses Spring Framework and is configured to serve static resources or has controllers returning org.springframework.core.io.Resource objects. Attackers simply need to send HTTP requests with malformed or excessive Range headers. The risk is significantly higher for Spring Boot applications that typically serve static content out-of-the-box, making them a common target.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-15756?
Available Upgrade Options
- org.springframework:spring-core
- >4.2.0.RELEASE, <4.3.20.RELEASE → Upgrade to 4.3.20.RELEASE
- org.springframework:spring-core
- >5.0.0.RELEASE, <5.0.10.RELEASE → Upgrade to 5.0.10.RELEASE
- org.springframework:spring-core
- >5.1.0.RELEASE, <5.1.1.RELEASE → Upgrade to 5.1.1.RELEASE
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3E
- http://www.securityfocus.com/bid/105703
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3E
- http://www.securityfocus.com/bid/105703
- https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc@%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
What are Similar Vulnerabilities to CVE-2018-15756?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2019-10086 , CVE-2018-1294 , CVE-2017-8046 , CVE-2017-7661
