https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Bug ID: 1881158 Summary: CVE-2020-5421 springframework: RFD protection bypass via jsessionid Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, chazlett@redhat.com, dblechte@redhat.com, dchen@redhat.com, dfediuck@redhat.com, drieden@redhat.com, eedri@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hvyas@redhat.com, ibek@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jochrist@redhat.com, jolee@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mnovotny@redhat.com, nwallace@redhat.com, pjindal@redhat.com, puebele@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbonazzo@redhat.com, sdaley@redhat.com, sherold@redhat.com, tcunning@redhat.com, tkirby@redhat.com, vhalbert@redhat.com, yturgema@redhat.com Target Milestone: --- Classification: Other
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Reference: https://tanzu.vmware.com/security/cve-2020-5421
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1881159
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1881159 [Bug 1881159] CVE-2020-5421 springframework: RFD protection bypass via jsessionid [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1881160
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created springframework tracking bugs for this issue:
Affects: fedora-all [bug 1881159]
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |springframework-5.2.9, | |springframework-5.1.18, | |springframework-5.0.19, | |springframework-4.3.29
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Comment #6 from Stoyan Nikolov snikolov@redhat.com --- Statement:
This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Comment #7 from Hardik Vyas hvyas@redhat.com --- Statement:
This issue does not affect the version of SpringFramework (embedded in rhvm-dependencies) shipped with Red Hat Virtualization, as it does not provide support for spring-web.
In Red Hat Gluster Storage 3, SpringFramework (embedded in rhvm-dependencies) was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. However, spring-web is not included in the shipped version of SpringFramework.
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Comment #10 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Comment #11 from Jonathan Christison jochrist@redhat.com --- A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N, this differs from Pivotals own of 8.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N and NVD of 8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability Metrics:
Attack Vector Network (AV:N) - Agree here, spring-web framework applications run on a http server (tomcat, jetty, undertow etc) which is bound to the the network and is commonly used to serve up applications which are public facing
Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):
We disagree here, although this is very similar to XSS which can be instigated via phishing and requires only link manipulation, the payload the end user will execute must be specific in that
* It is targeted for a particular application or operating system and usually shell .bat, .sh, .ps etc
* The end user must be using a browser who's configuration is to execute the file, for example firefox will open *.sh files with a text editor, in many cases this will not represent a threat to the end user.
Theses are both conditions beyond the attackers control and a successful attack can not be expected without significant knowledge of the end users environment.
Privileges Required Low (PR:L) - Agree here, The end user will be executing the payload with their accounts privileges
User Interaction Required (UI:R) Agree here, this attack fundamentally relies on end user (web application user) interaction as opposed to user (developer/administrator) interaction in two possible ways
* They must follow a malicious link * In most cases the end user must execute the downloaded file - The caveat being the malicious file could be a targeted vector for another vulnerable application eg. a malicious PDF file targeted at a known vulnerable version of a PDF reader
Scope Changed (S:C)
Agree here, this is a reflected attack and as such end user resources outside of the security authority (organisation or individual running the web application) are affected
Impact Metrics:
Confidentiality High (C:H) -> Confidentiality Low (C:L)
We disagree here and believe a high impact on confidentiality is incorrect, in the envisioned scenario an end user might execute a script that manipulates their browser in such a way to disclose active credentials, however this is contingent on certain applications and configurations, some of this is factored into attack complexity but crucially the attacker does not have control over what information is obtained because of this, for local files this will also be limited in scope to the end users privileges and permissions.
Integrity High (I:H)
We agree here if the attack is successful the malicious file or script will execute with privileges equivalent to the end users, this means although only some files can be modified, malicious modification would present a direct, serious consequence to the end user.
Availability None (A:N)
We agree here there is no availability impact upon the the affected component itself (the spring web application)
https://bugzilla.redhat.com/show_bug.cgi?id=1881158 Bug 1881158 depends on bug 1881159, which changed state.
Bug 1881159 Summary: CVE-2020-5421 springframework: RFD protection bypass via jsessionid [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1881159
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- In Spring Framework, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-08-11 19:28:34
--- Comment #19 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-5421
https://bugzilla.redhat.com/show_bug.cgi?id=1881158
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2014197
java-sig-commits@lists.fedoraproject.org