Spring Untrusted Java Deserialization Vulnerability CVE-2016-1000027

Issue date: 16-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-342

Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions

Severity

medium

Description

CVE-2016-1000027

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

This is not a vulnerability in Spring itself, it is moslty about how applications use it. Pivotal Spring Framework doesn't have a plan to fix this. It is advised not use Java serialization for external endpoints, in particular not for unauthorized ones.

Instructions

Verify that project code follows the usage recommendations for the Spring library.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Spring Untrusted Java Deserialization Vulnerability CVE-2016-1000027