CVE-2016-1000027¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.1.0, 3.2.0, 3.2.1, 4.0.0
- WSO2 Identity Server : 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0
- WSO2 Identity Server as Key Manager : 5.10.0
- WSO2 Enterprise Integrator : 6.6.0
WSO2 JUSTIFICATION¶
According to CVE considerations, the root cause lies in the readRemoteInvocation method within the HttpInvokerServiceExporter class, which is part of the Spring HTTP Invoker in Spring Web. This method does not sufficiently restrict or verify untrusted objects prior to deserializing them 2.
This class, along with others related to Spring HTTP Invoker, has been removed by the Spring team starting from Spring 6.x. However, the above-listed WSO2 products use Spring versions 5.3.31 through 5.3.39 and cannot be upgraded to Spring 6.x due to its dependency on Tomcat 10+, making such an upgrade unfeasible.
To address this vulnerability, WSO2 has forked Spring versions 5.3.31 through 5.3.39 from the original Spring repository 3 and removed all the vulnerable classes through targeted efforts such as 4, as these classes are not used in any WSO2 product use cases. Hence, in Spring versions 5.3.31-wso2v1 and onwards, which are bundled with the above-listed products, the reported vulnerability is not present.
CONCLUSION¶
- WSO2 uses a fork of Spring 3 in which all vulnerable classes have been removed.
Therefore, WSO2 concludes that this is not a vulnerability present in aforementioned WSO2 products, and a dependency upgrade will not be carried out solely based on the detection of CVE-2016-1000027.