Spring Security Advisories

CVE-2017-8045: Remote code execution in spring-amqp

HIGH | SEPTEMBER 19, 2017 | CVE-2017-8045

Description

In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

Affected Spring Products and Versions

  • Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:<ul><li>Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7</li></ul>

Credit

This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.

History

  • 2017-09-19: Initial vulnerability report published

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all