CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities
3.0.0 to 3.0.5
2.0.0 to 2.0.6
3.0.0 to 3.0.5
Earlier versions may also be affected
Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behaviour into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.
It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote service.
Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to circumvent the server-side checking of the submitted token.
Applications which use serialization-based remoting are likely to be vulnerable. In the long-term, we would recommend users migrate away from serialization-based remoting in cases where the client cannot be trusted, as it is a potential source of vulnerabilities in both Spring and non-Spring applications.
All users may mitigate this issue by upgrading to Spring Framework 3.0.6 and Spring Security 3.0.6. Spring Framework users should make use of the additional features introduced to prevent deserialization of malicious proxies. These are described below.
Users of Spring Security 2.0.x may upgrade to 2.0.7
RemoteInvocationSerializingExporter (the base class for HttpInvokerServiceExporter) now has an "acceptProxyClasses" flag which should be set to false if using Spring remoting. This will prevent any deserialization of proxies through Spring remoting, thus providing additional protection against future attacks of this kind which may use other serializable classes.
DefaultListableBeanFactory instances can no longer be deserialized other than through a SerializedBeanFactoryReference, which resolves to an existing bean factory instance on the server side. In addition, the serialization ID can be customized, to prevent a client from guessing it, by setting a value for "contextId" in the web.xml file as a context-param and as an init-param for instances of FrameworkServlet (such as Spring's DispatcherServlet).
RemoteExporter now uses an "opaque" proxy to limit exported methods to those of the service interface. This prevent access to interfaces such as org.springframework.aop.framework.Advised.
Spring Security remoting has been changed to prevent the submission of an Authentication instance by a remote client. It now only supports username/password authentication. This removes any possibility of an untrusted Authentication object being created on the server and prevents any of the associated attack vectors.
The issue was discovered by Wouter Coekaerts (http://wouter.coekaerts.be/).
2011-09-09: Original advisory