https://bugzilla.redhat.com/show_bug.cgi?id=1493502
Bug ID: 1493502 Summary: CVE-2017-8045 springframework-amqp: Message.toString() deserializes java without a whitelist Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: java-sig-commits@lists.fedoraproject.org, puntogil@libero.it
In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Upstream issue:
https://jira.spring.io/browse/AMQP-766
Upstream patch:
https://github.com/spring-projects/spring-amqp/commit/36e55998f6352ba3498be9...
References:
https://pivotal.io/security/cve-2017-8045
https://bugzilla.redhat.com/show_bug.cgi?id=1493502
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1493503
--- Comment #1 from Andrej Nemec anemec@redhat.com --- Created springframework-amqp tracking bugs for this issue:
Affects: fedora-all [bug 1493503]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1493503 [Bug 1493503] CVE-2017-8045 springframework-amqp: Message.toString() deserializes java without a whitelist [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1493502 Bug 1493502 depends on bug 1493503, which changed state.
Bug 1493503 Summary: CVE-2017-8045 springframework-amqp: Message.toString() deserializes java without a whitelist [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1493503
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1493502 Bug 1493502 depends on bug 1493503, which changed state.
Bug 1493503 Summary: CVE-2017-8045 springframework-amqp: Message.toString() deserializes java without a whitelist [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1493503
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|EOL |---
java-sig-commits@lists.fedoraproject.org