CVE-2016-1000027
Learn about the CVE-2016-1000027 Spring Framework vulnerability, its background, its description, its weakness enumeration, its known affected software configurations, and how to fix it.
The background of CVE-2016-1000027
CVE-2016-1000027 - Spring Framework vulnerability is part of the Java Deserialization Vulnerability category.
More specifically, CVE-2016-1000027 is a critical vulnerability that affects package: org.springframework/spring-web. This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE). The root cause is the readRemoteInvocation method within theHttpInvokerServiceExporter.class does not sufficiently restrict or verify untrusted objects prior to deserializing them.
For general steps of how to protect your apps from Java Deserialization Vulnerability, read Contrast Security blog from 2015 which still stands true today.
What is The Spring Framework?
The Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.
A key element of Spring is infrastructural support at the application level: Spring focuses on the "plumbing" of enterprise applications so that teams can focus on application-level business logic, without unnecessary ties to specific deployment environments.
Description of CVE-2016-1000027
The National Vulnerability Database cites the following: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CVE-2016-1000027 Weakness Enumeration
This CVE-2016-1000027 vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE). The root cause is the readRemoteInvocation method within theHttpInvokerServiceExporter.class does not sufficiently restrict or verify untrusted objects prior to deserializing them.
Serialization is a way that developers turn their data structures into a stream of bytes for transport or storage. Deserialization is the reverse process that happens when the data is received. Here are recommendations from Contrast Security blog on how to protect your apps from Java Deserialization Vulnerability.
Read CWE-502: Deserialization of Untrusted Data on The Common Weakness Enumeration site for full details.
Known Affected Software Configurations
The National Vulnerability Database has the latest information on CVE-2016-1000027 which can be modified following the latest research. See full list of known affected software configurations listed on the NVD site:
How to fix an application that is affected by CVE-2016-1000027
Whilst for a time there was considered no fix for this vulnerability, this has now been fixed with the release of Spring Framework version 6.0.0. However, protecting your applications from the Java Serialization Vulnerability in general is an ongoing challenge for many Application Security teams.
Contrast Security has a solution that uses our patented, powerful application security instrumentation platform to find and fix this Java security issue both quickly and accurately. Contrast Security can identify this problem during development using Contrast Assess, our IAST (Interactive Application Security Testing) approach. And Contrast can also protect applications in production using Contrast Protect, RASP (Runtime Application Self Protection), features to patch the problem immediately or generate security alerts, with no re-coding necessary. One Contrast agent protects all applications on a server, so it's easy to protect your entire portfolio against serialization attacks as well as a broad array of other vulnerabilities and attacks.