Question
Why is CVE-2016-1000027 listed for all spring-web versions when MITRE indicates only 4.1.4 as being vulnerable?
Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Answer
Vulnerability breakdown
Affected package: org.springframework/spring-web
This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE).
The root cause is the readRemoteInvocation method within the HttpInvokerServiceExporter.class does not sufficiently restrict or verify untrusted objects prior to deserializing them.
Information discrepancy with NVD
For a time, NVD was only listing version 4.1.4 as vulnerable, whereas we were listing all versions as vulnerable. This decision was based off the latest information from the Spring Framework developers, and had yet to be communicated to/updated by NVD.
NVD have since addressed this, and began to list all of the then available Spring Framework versions as vulnerable.
Remediation
Whilst for a time there was considered no fix for this vulnerability, this has now been fixed with the release of Spring Framework version 6.0.0.
<%= heading %>