Number: AV18-037
Date: 06 March 2018
Purpose
The purpose of this advisory is to bring attention to a Pivotal Spring Security Update.
Assessment
Pivotal Spring has released updates to address security vulnerabilities in various Spring web application products. Exploitation of these vulnerabilities may allow execution of arbitrary commands on web applications built using Spring Data REST.
Affected Versions:
- Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot versions prior to 2.0.0M4
- Spring Data release trains prior to Kay-RC3
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References:
https://pivotal.io/security/cve-2017-8046
https://lgtm.com/blog/spring_data_rest_CVE-2017-8046