9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-1000027

CVE-2016-1000027: Pivotal Spring Framework contains unsafe Java deserialization methods

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-1000027

CVE-2016-1000027:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-web	maven	< 6.0.0	6.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2016-1000027 concerns unsafe Java deserialization in Pivotal Spring Framework's HTTP invoker components.

Commit 5cbe90b2cd91b866a5a9586e460f311860e11cfa adds explicit Javadoc warnings to HttpInvokerServiceExporter.java about the dangers of Java deserialization. The method readRemoteInvocation(HttpServletRequest, InputStream) within this class is responsible for handling the input stream that is subsequently deserialized. Issue #24434 (referenced in CVE details) specifically mentions 'The readRemoteInvocation method in HttpInvokerServiceExporter.class' as problematic.
Commit 2b051b8b321768a4cfef83077db65c6328ffd60f deprecates SimpleHttpInvokerServiceExporter.java, which provides similar functionality for Sun's HTTP server and also relies on Java deserialization via its readRemoteInvocation(InputStream) method.
Both HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter extend RemoteInvocationSerializingExporter and utilize its doReadRemoteInvocation(ObjectInputStream) method to perform the actual ois.readObject() call. This method is therefore central to the vulnerability as it's where the untrusted data is deserialized. These three functions are directly involved in the vulnerable deserialization process. The readRemoteInvocation methods are the entry points in the patched/deprecated classes that process the malicious input, and doReadRemoteInvocation is where the critical readObject() call occurs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-1000027: Pivotal Spring Framework contains unsafe Java deserialization methods

CVE-2016-1000027:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

9.8

9.8

CVE-2016-1000027: Pivotal Spring Framework contains unsafe Java deserialization methods

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI