Skip to content


CVE-2011-2894: Spring Serial Vulnerability

Example from Springsource, as explained by Wouter Coekaerts, showing why clients should not be trusted.

Affected: Applications that have Spring AOP on the classpath and deserialize a stream from an untrusted source
Result: Arbitrary code execution

Short version: The problem is that the JdkDynamicAopProxy, DefaultListableBeanFactory and some other Spring classes are Serializable and can be configured to execute arbitrary code when the application uses these deserialized objects.

[…]

The vulnerability has been fixed in Spring by making it impossible to deserialize a DefaultListableBeanFactory except through the SerializedBeanFactoryReference. And the id used by the SerializedBeanFactoryReference has been made easier to configure because it should not be predictable by a client.

Springsource has the announcement of the CVE posted but the NIST site gives only this error:

ERROR, “CVE-2011-2894″ is valid CVE format, but CVE was not found.

Posted in Security.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.