Pivotal recently reported a new Common Vulnerability and Exposure (CVE-2017-4971) affecting security of the Spring Web Flow framework.

In the following link a detailed explanation is provided and the steps to exploit the vulnerability are shown: https://blog.gdssecurity.com/labs/2017/7/17/cve-2017-4971-remote-code-execution-vulnerability-in-the-spr.html

The vulnerability related to the CVE is based on the presence of an additional parameter that in some situations could end up in remote code execution. To exploit this vulnerability additional parameters have to be sent to a form in the application. The following example is one possible attack payload:

_new java.lang.ProcessBuilder({'/bin/bash','-c','mkdir newdir'}).start()=

Once Spring Web Flow receives the parameter, in certain situations Spring Expression Language may be triggered in order to resolve the name of the parameter.

Due to the existing vulnerability, the content of the parameter is not properly validated before expression execution and the name of the parameter is executed as an expression. The consequences of the execution depend on the attack payload, and can cause many kinds of damage on the server side. In this particular example, the additional parameter resolution creates a directory on the server and many kinds of command could be crafted.

Zero-Day Protection for Hdiv customers

In this case the vulnerability is related to Owasp Top 10 – A4 – Insecure Direct Object References as the application is trying to handle untrusted input data without any validation.

Hdiv Enterprise contains a transparent integration with Spring Web Flow and protects the application against this kind of zero-day attack as well as OWASP Top 10 security risks.

When a Web Flow application protected by Hdiv is attacked with the payload explained previously, the attacker’s request will be rejected. Hdiv controls the whole information flow between the server and the client and knows which are valid inputs for a particular user in real-time. Thanks to Hdiv input validation the client cannot craft any additional parameter or tamper with any value that is created by the server side (selects, radio buttons, links, etc.).

CVE-2017-4971

Hdiv built-in validation avoids by design these kinds of attacks and protects applications against zero-day as well as known vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *