Vulnerability CVE-2018-11039 - CERT Civis.Net

Vulnerability Name:

CVE-2018-11039 (CCN-145412)

Assigned:

2018-06-14

Published:

2018-06-14

Updated:

2022-06-23

Summary:

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2018-11039

Source: CCN
Type: Oracle CPUOct2018
Oracle Critical Patch Update Advisory - October 2018

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: BID
Type: Broken Link, Third Party Advisory, VDB Entry
107984

Source: XF
Type: UNKNOWN
pivotal-cve201811039-xst(145412)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update

Source: CCN
Type: Pivotal Web site
CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

Source: CONFIRM
Type: Mitigation, Vendor Advisory
https://pivotal.io/security/cve-2018-11039

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: CONFIRM
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-11039

Vulnerable Configuration:

Configuration 1:

cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.0.7)

OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version < 4.3.18)

Configuration 2:

cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version < 8.3)

OR cpe:/a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:* (Version < 10.2.1)

OR cpe:/a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* (Version < 6.1.0.4.0)

OR cpe:/a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_network_integrity:*:*:*:*:*:*:*:* (Version >= 7.3.2 and <= 7.3.6)

OR cpe:/a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:insurance_calculation_engine:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.3.1)

OR cpe:/a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version <= 3.4.9.4237)

OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 4.0.0 and <= 4.0.6.5281)

OR cpe:/a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.2.8191)

OR cpe:/a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_markdown_optimization:13.4.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.0.3.26:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:14.1.3.37:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_predictive_application_server:15.0.3..100:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_network_management_system:1.12.0.3:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:pivotal:spring_framework:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:pivotal:spring_framework:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:pivotal:spring_framework:5.0.6:*:*:*:*:*:*:*

OR cpe:/a:pivotal:spring_framework:4.3.17:*:*:*:*:*:*:*

AND

cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.xenial:def:2018110390000000	V	CVE-2018-11039 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-25
oval:com.ubuntu.artful:def:201811039000	V	CVE-2018-11039 on Ubuntu 17.10 (artful) - medium.	2018-06-25
oval:com.ubuntu.xenial:def:201811039000	V	CVE-2018-11039 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-25
oval:com.ubuntu.disco:def:2018110390000000	V	CVE-2018-11039 on Ubuntu 19.04 (disco) - medium.	2018-06-25
oval:com.ubuntu.bionic:def:201811039000	V	CVE-2018-11039 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-25
oval:com.ubuntu.cosmic:def:2018110390000000	V	CVE-2018-11039 on Ubuntu 18.10 (cosmic) - medium.	2018-06-25
oval:com.ubuntu.cosmic:def:201811039000	V	CVE-2018-11039 on Ubuntu 18.10 (cosmic) - medium.	2018-06-25
oval:com.ubuntu.bionic:def:2018110390000000	V	CVE-2018-11039 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-25
oval:com.ubuntu.trusty:def:201811039000	V	CVE-2018-11039 on Ubuntu 14.04 LTS (trusty) - medium.	2018-06-25