来源

关联漏洞

描述

Mitigated version for CVE-2016-1000027 spring web.

介绍

# Spring-Web-5xx-Mitigated-version

## Overview
This mitigated version of Spring Web (5.x.x) is specifically crafted to address critical vulnerabilities detected by multiple vendors using Sonatype and Mend. The vulnerabilities, identified under the CVE-2016-1000027 advisory, pose a risk of remote code execution (RCE) when the Spring Framework 4.1.4 is used for Java deserialization of untrusted data. It is essential to note that the recommended resolution involves upgrading to a version beyond 5.x.x, which mandates the use of OpenJDK 17 or later. However, due to technical constraints faced by various organizations relying on Sonatype and Mend, which often require the continued use of OpenJDK 8, this version has been developed.

## Key Features
- **Vulnerability Mitigation**: The mitigated version removes the functionality susceptible to RCE attacks(handleRequest), effectively addressing the identified security risks associated with the CVE-2016-1000027 vulnerability in the Spring-web project.

- **Reduced Functionality**: This version explicitly excludes the usage of the `handleRequest` functionality in `HttpInvokerServiceExporter` to eliminate the associated security risks.

## Prerequisites
- **Java Version**: While the official fix (version 5.x.x) necessitates OpenJDK 17 or above, this mitigated version is tailored for organizations constrained to use OpenJDK 8 due to specific technical requirements.
- **Note**: This version assumes that the `handleRequest` functionality in `HttpInvokerServiceExporter` is not required for your application.
   
## Usage
Integrate the mitigated version into your Spring-based project to benefit from the security enhancements and risk mitigation measures.

## Disclaimer
This mitigated version aims to provide an interim solution for organizations facing challenges in adopting the recommended Spring Framework update. Users are encouraged to regularly check for official updates and migrate to newer versions as soon as their technical constraints allow.

## License
This software is provided under the terms of the ISC License. See the [LICENSE](LICENSE) file for details.

## Acknowledgments
Special thanks to the Spring Framework community for their continuous efforts in enhancing the security and functionality of the framework.


## More Reference
https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce/java/sid-22252

文件快照

 [4.0K]  /data/pocs/6de584d9515ff28d5a414ffe375acbb048c370a8
├── [ 755]  LICENSE
├── [2.4K]  README.md
└── [1.6M]  spring-web-5.3.30.jar

0 directories, 3 files

备注