@@ -21,14 +21,17 @@ Spring Framework also provides two classes that extend <code>RemoteInvocationSer
2121<p >
2222These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
2323using unsafe <code >ObjectInputStream</code >. If a remote attacker can reach such endpoints,
24- it results in remote code execution.
24+ it results in remote code execution in the worst case.
25+ </p >
26+ <p >
27+ CVE-2016-1000027 has been assigned to this issue in Spring Framework. There is no fix for that.
2528</p >
2629</overview >
2730
2831<recommendation >
2932<p >
3033Avoid using <code >HttpInvokerServiceExporter</code >, <code >SimpleHttpInvokerServiceExporter</code >
31- and other exporters that are based on <code >RemoteInvocationSerializingExporter</code >.
34+ and any other exporter that is based on <code >RemoteInvocationSerializingExporter</code >.
3235Instead, use other message formats for API endpoints (for example, JSON),
3336but make sure that the underlying deserialization mechanism is properly configured
3437so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
@@ -50,6 +53,14 @@ OWASP:
5053<a href =" https://www.owasp.org/index.php/Deserialization_of_untrusted_data" a >.
5154</li >
5255<li >
56+ Spring Framework API documentation:
57+ <a href =" https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html" a >
58+ </li >
59+ <li >
60+ Spring Framework API documentation:
61+ <a href =" https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html" a >
62+ </li >
63+ <li >
5364National Vulnerability Database:
5465<a href =" https://nvd.nist.gov/vuln/detail/CVE-2016-1000027" a >
5566</li >
@@ -66,4 +77,5 @@ OpenJDK:
6677<a href =" https://openjdk.java.net/jeps/290" a >
6778</li >
6879</references >
80+
6981</qhelp >
0 commit comments