Source URL: https://www.theregister.com/2024/10/29/admins_spring_into_action_over/
Source: The Register
Title: Admins better Spring into action over latest critical open source vuln
Feedly Summary: Patch up: The Spring framework dominates the Java ecosystem
If you’re running an application built using the Spring development framework, now is a good time to check it’s fully updated – a new, critical-severity vulnerability has just been disclosed.…
AI Summary and Description: Yes
Summary: A critical-severity vulnerability, CVE-2024-38821, has been disclosed for applications utilizing the Spring WebFlux framework. This vulnerability, which can lead to serious security rule violations, affects a significant portion of Java applications that rely on the Spring development framework. Although assessments of its severity vary among vendors, the importance of updating to secure versions cannot be overstated.
Detailed Description:
The recently identified vulnerability, CVE-2024-38821, specifically targets applications developed using the Spring WebFlux framework, which is an integral part of the Java development ecosystem. Given the widespread use of Spring among Java applications, this vulnerability poses a serious risk that necessitates prompt action by developers and security professionals.
Key Points:
– **Vulnerability Overview**:
– The CVE-2024-38821 vulnerability allows security rules to be bypassed when specific conditions are met within Spring WebFlux apps.
– Affected apps must serve static resources without permitAll authorization rules for the vulnerability to be exploited.
– **Affected Versions**:
– Spring Framework versions that are vulnerable:
– 5.7.x (fixed in 5.7.13)
– 5.8.x (fixed in 5.8.15)
– 6.0.x (fixed in 6.0.13)
– 6.1.x (fixed in 6.1.11)
– 6.2.x (fixed in 6.2.7)
– Older, unsupported versions may also be susceptible.
– **Severity Assessments**:
– The vulnerability has a critical CVSS score of 9.1 according to the National Vulnerability Database (NVD).
– Vendor assessments vary; for example, IBM’s assessment rates it at 7.4, considering it of moderate risk. This discrepancy is due to the conditions required for exploitation.
– Italy’s Computer Security Incident Response Team (CSIRT-ITA) assessed the risk as high, scoring it at 65.51 out of 100.
– **Implications for Security Teams**:
– Immediate review and update of all Spring applications deployed in organizations are crucial.
– Developers should ensure that their applications fit the criteria narrowly outlined to ascertain vulnerability.
– Security teams must communicate effectively regarding the varying severity assessments and their impact on compliance and risk posture.
This situation underscores the necessity for continuous monitoring and updating of software components in Java applications to maintain compliance and secure organizational data effectively.