Skip to content

CVE-2011-2894: Spring Serial Vulnerability

Example from Springsource, as explained by Wouter Coekaerts, showing why clients should not be trusted.

Affected: Applications that have Spring AOP on the classpath and deserialize a stream from an untrusted source
Result: Arbitrary code execution

Short version: The problem is that the JdkDynamicAopProxy, DefaultListableBeanFactory and some other Spring classes are Serializable and can be configured to execute arbitrary code when the application uses these deserialized objects.


The vulnerability has been fixed in Spring by making it impossible to deserialize a DefaultListableBeanFactory except through the SerializedBeanFactoryReference. And the id used by the SerializedBeanFactoryReference has been made easier to configure because it should not be predictable by a client.

Springsource has the announcement of the CVE posted but the NIST site gives only this error:

ERROR, “CVE-2011-2894” is valid CVE format, but CVE was not found.

Posted in Security.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.