CVE-2017-8045: Remote code execution in spring-amqp
Severity
High
Vendor
Spring by Pivotal
Description
In affected versions of Spring AMQP, a org.springframework.amqp.core.Message
may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7
Credit
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
References
- https://jira.spring.io/browse/AMQP-766
- https://docs.spring.io/spring-amqp/docs/1.6.11.RELEASE/reference/html/_reference.html#_message
History
2017-09-19: Initial vulnerability report published