Insecure Defaults Affecting org.springframework.batch:spring-batch-core package, versions [4.0.0.RELEASE, 4.2.3.RELEASE)


Severity

0.0
medium
0
10

    Threat Intelligence

    EPSS
    0.24% (65th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKBATCH-572008
  • published 11 Jun 2020
  • disclosed 11 Jun 2020
  • credit Unknown

How to fix?

Upgrade org.springframework.batch:spring-batch-core to version 4.2.3.RELEASE or higher.

Overview

org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java.

Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets".

Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true:

  • Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext.
  • A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored).

CVSS Scores

version 3.1
Expand this section

Snyk

4.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

8.1 high