Spring Untrusted Java Deserialization Vulnerability CVE-2016-1000027

Issue date: 16-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-342

Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions

Severity

medium

Description

CVE-2016-1000027

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

This is not a vulnerability in Spring itself, it is moslty about how applications use it. Pivotal Spring Framework doesn't have a plan to fix this. It is advised not use Java serialization for external endpoints, in particular not for unauthorized ones.

Instructions

Verify that project code follows the usage recommendations for the Spring library.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Spring Untrusted Java Deserialization Vulnerability CVE-2016-1000027