ID CVE-2018-1275
Summary Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
References
Vulnerable Configurations
  • Pivotal Software Spring Framework 4.3.0
    cpe:2.3:a:pivotal_software:spring_framework:4.3.0
  • Pivotal Software Spring Framework 4.3.1
    cpe:2.3:a:pivotal_software:spring_framework:4.3.1
  • Pivotal Software Spring Framework 4.3.2
    cpe:2.3:a:pivotal_software:spring_framework:4.3.2
  • Pivotal Software Spring Framework 4.3.3
    cpe:2.3:a:pivotal_software:spring_framework:4.3.3
  • Pivotal Software Spring Framework 4.3.4
    cpe:2.3:a:pivotal_software:spring_framework:4.3.4
  • Pivotal Software Spring Framework 4.3.5
    cpe:2.3:a:pivotal_software:spring_framework:4.3.5
  • Pivotal Software Spring Framework 4.3.6
    cpe:2.3:a:pivotal_software:spring_framework:4.3.6
  • Pivotal Software Spring Framework 4.3.7
    cpe:2.3:a:pivotal_software:spring_framework:4.3.7
  • Pivotal Software Spring Framework 4.3.8
    cpe:2.3:a:pivotal_software:spring_framework:4.3.8
  • Pivotal Software Spring Framework 4.3.9
    cpe:2.3:a:pivotal_software:spring_framework:4.3.9
  • Pivotal Software Spring Framework 4.3.10
    cpe:2.3:a:pivotal_software:spring_framework:4.3.10
  • Pivotal Software Spring Framework 4.3.11
    cpe:2.3:a:pivotal_software:spring_framework:4.3.11
  • Pivotal Software Spring Framework 4.3.12
    cpe:2.3:a:pivotal_software:spring_framework:4.3.12
  • Pivotal Software Spring Framework 4.3.13
    cpe:2.3:a:pivotal_software:spring_framework:4.3.13
  • Pivotal Software Spring Framework 4.3.14
    cpe:2.3:a:pivotal_software:spring_framework:4.3.14
  • Pivotal Software Spring Framework 4.3.15
    cpe:2.3:a:pivotal_software:spring_framework:4.3.15
  • Pivotal Software Spring Framework 5.0.0
    cpe:2.3:a:pivotal_software:spring_framework:5.0.0
  • Pivotal Software Spring Framework 5.0.1
    cpe:2.3:a:pivotal_software:spring_framework:5.0.1
  • Pivotal Software Spring Framework 5.0.2
    cpe:2.3:a:pivotal_software:spring_framework:5.0.2
  • Pivotal Software Spring Framework 5.0.3
    cpe:2.3:a:pivotal_software:spring_framework:5.0.3
  • Pivotal Software Spring Framework 5.0.4
    cpe:2.3:a:pivotal_software:spring_framework:5.0.4
  • Oracle Application Testing Suite 12.5.0.3
    cpe:2.3:a:oracle:application_testing_suite:12.5.0.3
  • Oracle Application Testing Suite 13.1.0.1
    cpe:2.3:a:oracle:application_testing_suite:13.1.0.1
  • Oracle Application Testing Suite 13.2.0.1
    cpe:2.3:a:oracle:application_testing_suite:13.2.0.1
  • Oracle Application Testing Suite 13.3.0.1
    cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
  • cpe:2.3:a:oracle:big_data_discovery:1.6.0
    cpe:2.3:a:oracle:big_data_discovery:1.6.0
  • Oracle Communications Diameter Signaling Router 6.0
    cpe:2.3:a:oracle:communications_diameter_signaling_router:6.0
  • Oracle Communications Diameter Signaling Router 8.1
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
  • Oracle Communications Diameter Signaling Router 8.2
    cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
  • cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1
    cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1
  • cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1
    cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1
  • cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1
    cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1
  • cpe:2.3:a:oracle:health_sciences_information_manager:3.0
    cpe:2.3:a:oracle:health_sciences_information_manager:3.0
  • cpe:2.3:a:oracle:healthcare_master_person_index:3.0
    cpe:2.3:a:oracle:healthcare_master_person_index:3.0
  • cpe:2.3:a:oracle:healthcare_master_person_index:4.0
    cpe:2.3:a:oracle:healthcare_master_person_index:4.0
  • cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1
    cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1
  • cpe:2.3:a:oracle:insurance_calculation_engine:10.2
    cpe:2.3:a:oracle:insurance_calculation_engine:10.2
  • cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1
    cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1
  • cpe:2.3:a:oracle:insurance_rules_palette:10.0
    cpe:2.3:a:oracle:insurance_rules_palette:10.0
  • cpe:2.3:a:oracle:insurance_rules_palette:10.1
    cpe:2.3:a:oracle:insurance_rules_palette:10.1
  • cpe:2.3:a:oracle:insurance_rules_palette:10.2
    cpe:2.3:a:oracle:insurance_rules_palette:10.2
  • cpe:2.3:a:oracle:insurance_rules_palette:11.0
    cpe:2.3:a:oracle:insurance_rules_palette:11.0
  • cpe:2.3:a:oracle:insurance_rules_palette:11.1
    cpe:2.3:a:oracle:insurance_rules_palette:11.1
  • cpe:2.3:a:oracle:primavera_gateway:15.2
    cpe:2.3:a:oracle:primavera_gateway:15.2
  • cpe:2.3:a:oracle:primavera_gateway:16.2
    cpe:2.3:a:oracle:primavera_gateway:16.2
  • cpe:2.3:a:oracle:primavera_gateway:17.12
    cpe:2.3:a:oracle:primavera_gateway:17.12
  • cpe:2.3:a:oracle:retail_customer_insights:15.0
    cpe:2.3:a:oracle:retail_customer_insights:15.0
  • cpe:2.3:a:oracle:retail_customer_insights:16.0
    cpe:2.3:a:oracle:retail_customer_insights:16.0
  • cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0
    cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0
  • cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0
    cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0
  • cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1
    cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1
  • cpe:2.3:a:oracle:retail_order_broker:5.1
    cpe:2.3:a:oracle:retail_order_broker:5.1
  • cpe:2.3:a:oracle:retail_order_broker:5.2
    cpe:2.3:a:oracle:retail_order_broker:5.2
  • cpe:2.3:a:oracle:retail_order_broker:15.0
    cpe:2.3:a:oracle:retail_order_broker:15.0
  • cpe:2.3:a:oracle:retail_order_broker:16.0
    cpe:2.3:a:oracle:retail_order_broker:16.0
  • cpe:2.3:a:oracle:retail_predictive_application_server:14.0
    cpe:2.3:a:oracle:retail_predictive_application_server:14.0
  • cpe:2.3:a:oracle:retail_predictive_application_server:14.1
    cpe:2.3:a:oracle:retail_predictive_application_server:14.1
  • cpe:2.3:a:oracle:retail_predictive_application_server:15.0
    cpe:2.3:a:oracle:retail_predictive_application_server:15.0
  • cpe:2.3:a:oracle:retail_predictive_application_server:16.0
    cpe:2.3:a:oracle:retail_predictive_application_server:16.0
  • cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
    cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0
  • cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
    cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0
  • cpe:2.3:a:oracle:tape_library_acsls:8.4
    cpe:2.3:a:oracle:tape_library_acsls:8.4
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-358
CAPEC
nessus via4
  • NASL family Misc.
    NASL id ORACLE_OATS_CPU_JUL_2018.NASL
    description The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in Apache Log4j 2.x before 2.8.2 due to the ability to receive serialized log events from another application. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host. (CVE-2017-5645) - A remote code execution vulnerability exists in Spring Framework due to the exposure of STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host. (CVE-2018-1275)
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 111210
    published 2018-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111210
    title Oracle Application Testing Suite Multiple Vulnerabilities (April / July 2018 CPU)
  • NASL family CGI abuses
    NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_OCT_2018.NASL
    description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.15, 16.x prior to 16.2.8, or 17.x prior to 17.12.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-18
    plugin id 118714
    published 2018-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118714
    title Oracle Primavera Gateway Multiple Vulnerabilities (Oct 2018 CPU)
  • NASL family Misc.
    NASL id ORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL
    description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-21
    plugin id 111209
    published 2018-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111209
    title Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)
redhat via4
advisories
  • rhsa
    id RHSA-2018:1320
  • rhsa
    id RHSA-2018:2939
refmap via4
bid 103771
confirm
sectrack 1041301
Last major update 11-04-2018 - 09:29
Published 11-04-2018 - 09:29
Last modified 21-03-2019 - 10:25
Back to Top