Published:2018/02/02  Last Updated:2018/05/10

JVN#15643848
Spring Security and Spring Framework vulnerable to authentication bypass

Overview

Spring Security and Spring Framework contain an authentication bypass vulnerability.

Products Affected

  • Spring Security 4.1.0 to 4.1.4
  • Spring Security 4.2.0 to 4.2.3
  • Spring Security 5.0.0
  • Spring Framework 4.3.0 to 4.3.13
  • Spring Framework 5.0.0 to 5.0.2
The developer states that "Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted".

Description

Spring Framework and Spring Security provided by Pivotal Software, Inc. contain an authentication bypass vulnerability.

Impact

A remote attacker can bypass authentication. As a result, the attacker gains access to the server and information may be disclosed.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
FUJITSU LIMITED Vulnerable 2018/05/10
NEC Corporation Vulnerable 2018/03/26
Vendor Link
Pivotal Software, Inc. CVE-2018-1199: Security bypass with static resources

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Macchinetta Framework Development Team´╝ÜNTT COMWARE, NTT DATA Corporation, and NTT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-1199
JVN iPedia JVNDB-2018-000008

Update History

2018/02/02
Fixed spelling error under "Overview"
2018/02/07
Information under the sections "Vendor Status" and "Other Information" was updated
2018/02/08
Information under the section "Credit" was updated
2018/02/19
NEC Corporation update status
2018/03/26
NEC Corporation update status
2018/04/17
FUJITSU LIMITED update status
2018/05/10
FUJITSU LIMITED update status