CVE-2011-2894: Spring Serial Vulnerability

Example from Springsource, as explained by Wouter Coekaerts, showing why clients should not be trusted.

Affected: Applications that have Spring AOP on the classpath and deserialize a stream from an untrusted source
Result: Arbitrary code execution

Short version: The problem is that the JdkDynamicAopProxy, DefaultListableBeanFactory and some other Spring classes are Serializable and can be configured to execute arbitrary code when the application uses these deserialized objects.


The vulnerability has been fixed in Spring by making it impossible to deserialize a DefaultListableBeanFactory except through the SerializedBeanFactoryReference. And the id used by the SerializedBeanFactoryReference has been made easier to configure because it should not be predictable by a client.

Springsource has the announcement of the CVE posted but the NIST site gives only this error:

ERROR, “CVE-2011-2894” is valid CVE format, but CVE was not found.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.