Insecure Defaults Affecting org.springframework.batch:spring-batch-core package, versions [4.0.0.RELEASE, 4.2.3.RELEASE)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKBATCH-572008
- published 11 Jun 2020
- disclosed 11 Jun 2020
- credit Unknown
Introduced: 11 Jun 2020
CVE-2020-5411 Open this link in a new tabHow to fix?
Upgrade org.springframework.batch:spring-batch-core to version 4.2.3.RELEASE or higher.
Overview
org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java.
Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets".
Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true:
- Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext.
- A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored).