Vulnerability CVE-2020-5413 - CERT Civis.Net

Vulnerability Name:

CVE-2020-5413 (CCN-186211)

Assigned:

2020-07-19

Published:

2020-07-19

Updated:

2022-05-12

Summary:

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-5413

Source: XF
Type: UNKNOWN
vmwaretanzu-cve20205413-code-exec(186211)

Source: CCN
Type: VMware Tanzu Web site
CVE-2020-5413: Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

Source: CONFIRM
Type: Vendor Advisory
https://tanzu.vmware.com/security/cve-2020-5413

Source: CCN
Type: IBM Security Bulletin 6410788 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-5413

Vulnerable Configuration:

Configuration 1:

cpe:/a:vmware:spring_integration:*:*:*:*:*:*:*:* (Version >= 5.3.0 and <= 5.3.1)

OR cpe:/a:vmware:spring_integration:*:*:*:*:*:*:*:* (Version >= 5.2.0 and <= 5.2.7)

OR cpe:/a:vmware:spring_integration:*:*:*:*:*:*:*:* (Version >= 5.1.0 and <= 5.1.11)

OR cpe:/a:vmware:spring_integration:*:*:*:*:*:*:*:* (Version >= 4.3.0 and <= 4.3.22)

Configuration 2:

cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* (Version >= 16.0 and <= 19.0)

OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*

Denotes that component is vulnerable