Vulnerability Name:

CVE-2018-1275 (CCN-141565)

Assigned:2017-12-06
Published:2018-04-10
Updated:2022-06-23
Summary:Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2018-1275

Source: CCN
Type: Oracle CPUJan2019
Oracle Critical Patch Update Advisory - January 2019

Source: CCN
Type: Oracle CPUJul2018
Oracle Critical Patch Update Advisory - July 2018

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: CCN
Type: Oracle CPUJul2019
Oracle Critical Patch Update Advisory - July 2019

Source: CCN
Type: Oracle CPUOct2018
Oracle Critical Patch Update Advisory - October 2018

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: BID
Type: Third Party Advisory, VDB Entry
103771

Source: CCN
Type: BID-103771
Pivotal Spring Framework CVE-2018-1275 Incomplete Fix Remote Code Execution Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041301

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:1320

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:2939

Source: XF
Type: UNKNOWN
pivotal-cve20181275-code-exec(141565)

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar

Source: CCN
Type: Pivotal Web site
CVE-2018-1275: Address partial fix for CVE-2018-1270

Source: CONFIRM
Type: Vendor Advisory
https://pivotal.io/security/cve-2018-1275

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CONFIRM
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.0.5)
  • OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version >= 4.3.0 and < 4.3.16)

    • Configuration 2:
  • cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version < 8.3)
  • OR cpe:/a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:* (Version < 10.2.1)
  • OR cpe:/a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* (Version < 7.0.0.1)
  • OR cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* (Version < 6.1.0.4.0)
  • OR cpe:/a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pivotal:spring_framework:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:4.3:*:*:*:*:*:*:*
  • OR cpe:/a:pivotal:spring_framework:4.3.15:*:*:*:*:*:*:*
  • AND
  • cpe:/a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform_cloud_service:5.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform_cloud_service:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_testing_suite:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_policy_administration_j2ee:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:financial_services_behavior_detection_platform:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_open_commerce_platform_cloud_service:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_converged_application_server_-_service_controller:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_converged_application_server_-_service_controller:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:201812750000000
    V
    		CVE-2018-1275 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-04-11
    oval:com.ubuntu.artful:def:20181275000
    V
    		CVE-2018-1275 on Ubuntu 17.10 (artful) - untriaged.
    2018-04-11
    oval:com.ubuntu.xenial:def:20181275000
    V
    		CVE-2018-1275 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2018-04-11
    oval:com.ubuntu.disco:def:201812750000000
    V
    		CVE-2018-1275 on Ubuntu 19.04 (disco) - medium.
    2018-04-11
    oval:com.ubuntu.bionic:def:20181275000
    V
    		CVE-2018-1275 on Ubuntu 18.04 LTS (bionic) - untriaged.
    2018-04-11
    oval:com.ubuntu.cosmic:def:201812750000000
    V
    		CVE-2018-1275 on Ubuntu 18.10 (cosmic) - medium.
    2018-04-11
    oval:com.ubuntu.cosmic:def:20181275000
    V
    		CVE-2018-1275 on Ubuntu 18.10 (cosmic) - untriaged.
    2018-04-11
    oval:com.ubuntu.bionic:def:201812750000000
    V
    		CVE-2018-1275 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-04-11
    oval:com.ubuntu.trusty:def:20181275000
    V
    		CVE-2018-1275 on Ubuntu 14.04 LTS (trusty) - untriaged.
    2018-04-11
    BACK
    vmware spring framework *
    vmware spring framework *
    oracle primavera gateway 16.2
    oracle primavera gateway 15.2
    oracle application testing suite 12.5.0.3
    oracle retail open commerce platform 6.0.1
    oracle application testing suite 13.1.0.1
    oracle application testing suite 13.2.0.1
    oracle application testing suite 13.3.0.1
    oracle communications diameter signaling router *
    oracle communications performance intelligence center *
    oracle insurance calculation engine 10.2
    oracle retail customer insights 16.0
    oracle retail predictive application server 14.0
    oracle retail predictive application server 14.1
    oracle retail predictive application server 15.0
    oracle health sciences information manager 3.0
    oracle healthcare master person index 3.0
    oracle communications converged application server *
    oracle service architecture leveraging tuxedo 12.1.3.0.0
    oracle service architecture leveraging tuxedo 12.2.2.0.0
    oracle insurance rules palette 10.0
    oracle insurance rules palette 10.2
    oracle communications services gatekeeper *
    oracle healthcare master person index 4.0
    oracle retail customer insights 15.0
    oracle tape library acsls 8.4
    oracle retail predictive application server 16.0
    oracle retail order broker 5.1
    oracle retail order broker 5.2
    oracle insurance calculation engine 10.1.1
    oracle insurance rules palette 11.1
    oracle primavera gateway 17.12
    oracle goldengate for big data 12.2.0.1
    oracle retail order broker 16.0
    oracle retail open commerce platform 5.3.0
    oracle retail open commerce platform 6.0.0
    oracle insurance rules palette 10.1
    oracle insurance rules palette 11.0
    oracle goldengate for big data 12.3.2.1
    oracle retail order broker 15.0
    oracle insurance calculation engine 10.2.1
    oracle big data discovery 1.6.0
    oracle goldengate for big data 12.3.1.1
    pivotal spring framework 5.0.0
    pivotal spring framework 5.0.4
    pivotal spring framework 4.3
    pivotal spring framework 4.3.15
    oracle weblogic server 10.3.6.0.0
    oracle weblogic server 12.1.3.0.0
    oracle retail point-of-service 14.0
    oracle retail point-of-service 14.1
    oracle retail order broker cloud service 5.1
    oracle retail order broker cloud service 5.2
    oracle retail order broker cloud service 15.0
    oracle retail order broker cloud service 16.0
    oracle retail predictive application server 14.0
    oracle retail predictive application server 14.1
    oracle retail predictive application server 15.0
    oracle enterprise manager ops center 12.2.2
    oracle primavera gateway 15.2
    oracle primavera gateway 16.2
    oracle weblogic server 12.2.1.2.0
    oracle weblogic server 12.2.1.3.0
    oracle retail back office 14.0
    oracle retail back office 14.1
    oracle retail open commerce platform cloud service 5.3
    oracle retail open commerce platform cloud service 6.0
    oracle retail returns management 14.1
    oracle enterprise repository 11.1.1.7.0
    oracle enterprise repository 12.1.3.0.0
    oracle financial services analytical applications infrastructure 8.0
    oracle big data discovery 1.6.0
    oracle enterprise manager ops center 12.3.3
    oracle retail central office 14.0
    oracle retail central office 14.1
    oracle retail returns management 14.0
    oracle application testing suite 10.1
    oracle insurance policy administration j2ee 10.0
    oracle insurance policy administration j2ee 10.1
    oracle insurance policy administration j2ee 10.2
    oracle insurance policy administration j2ee 11.0
    oracle peoplesoft enterprise fin install 9.2
    oracle financial services behavior detection platform 8.0
    oracle primavera gateway 17.12
    oracle insurance calculation engine 10.1.1
    oracle insurance calculation engine 10.2.1
    oracle retail open commerce platform cloud service 6.0.1
    oracle insurance rules palette 10.0
    oracle insurance rules palette 10.1
    oracle insurance rules palette 10.2
    oracle insurance rules palette 11.0
    oracle insurance rules palette 11.1
    oracle communications converged application server - service controller 6.1
    oracle service architecture leveraging tuxedo 12.1.3.0.0
    oracle service architecture leveraging tuxedo 12.2.2.0.0
    ibm cognos controller 10.4.0
    oracle communications converged application server - service controller 6.0
    ibm cognos controller 10.4.1
    ibm security guardium data encryption 3.0.0.2
    ibm cognos controller 10.4.2