On March 29, the RCE 0day vulnerability was exposed in the Spring framework. It has been confirmed that SerializationUtils#deserialize is based on Java's serialization mechanism, which can lead to remote code execution (RCE). Anyone using JDK9 and above may be affected.
Vulnerability description:
As the most popular Java lightweight open source framework in the world, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise-level applications.
However, in the JDK9 version of the Spring framework (and above), a remote attacker can obtain the AccessLogValve object and malicious field values through the parameter binding function of the framework, thereby triggering the pipeline mechanism and writing arbitrary files under the path.
It is currently known that two basic conditions need to be met to trigger this vulnerability:
- Use the Spring MVC framework of JDK9 and above
- Spring framework and derived framework spring-beans-*.jar files or CachedIntrospectionResults.class exist
Temporary solution:
Create the following global class under the project package of the application system, and ensure that this class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After adding the class, the project needs to be recompiled, packaged and functionally verified and tested. and republish the project.
springRCE.java
package org.jeecg.modules.nanxin;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
/**
* @author: myqxin
* @Desc:
* @create: 2022-03-30 16:09
**/
@ControllerAdvice
@Order(10000)
public class SpringRCE {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] abd = new String[]{
"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(abd);
}
}