Improperly Implemented Security Check for Standard, Improper Authorization and Improper Input Validation in Spring Framework (CVE-2018-1257, CVE-2018-1258, CVE-2018-1270)Issue date: 31-10-2018
Issue ID: SECURITY-76
Affected Product Version(s)
This vulnerability affects all versions of both CMS and delivery applications based on Hippo CMS prior to 12.4.0, 11.2.13, 10.2.16 and earlier versions.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
Spring Security in combination with Spring Framework versions prior to 5.0.6 contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
These vulnerabilities are classified with medium and high severity, and may (also) apply to project specific usages of the Spring Framework library within a Hippo CMS project.
The Spring Framework version in all supported CMS maintenance versions 10.2.17, 11.2.14, 12.4.1 and 12.5.0 has been updated to version 4.3.18.
Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.