Remote Code Execution with Spring Data Commons (CVE-2018-1273)
In the recent days another critical vulnerability in Spring Framework was published (CVE-2018-1273). This time the vulnerable component is Spring Data Commons. Spring Data component goal is to provide a common API for accessing NoSQL and relational databases. Spring Data Commons provides basic implementation and interfaces to the other Spring Data projects. It was found that the MapDataBinder class of the Spring Data Commons project was unsafely parsing and evaluating a Spring Expression Language (SpEL) Expression which may be controlled by the user. Because of this unsafe evaluation an attacker can send a string that contains the special T() operator which tells Spring expression parser to treat the string inside it as a class reference and consequently may allow execution of arbitrary code.
To mitigate the issue, Spring developers changed the class which they were performing the expression evaluation with from StandardEvaluationContext which allows evaluating Java type references, constructors and bean references to SimpleEvaluationContext which prohibits them and was designed to support only a subset of the Spring Expression Language syntax.
Figure 1: Spring Data Commons Github commit showing the change from StandardEvaluationContext to SimpleEvaluationContext
Figure 2: CVE-2018-1273 Proof of Concept as it was posted by @shengqi158 (xxlegend) via Twitter
Mitigating the vulnerability with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “Java Servlets/JSP” System. Also, operating system command execution signatures will detect the attempt to execute operating system commands as the payload for the exploit.
Figure 3: Exploit blocked with attack signature 200003437.
Figure 4: Exploit blocked with attack signature 200003073
Figure 5: Exploit blocked with attack signature 200002273