SB2020060107 - Multiple vulnerabilities in VMware Spring Security

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Use of insufficiently random values (CVE-ID: CVE-2020-5408)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A remote authenticated attacker can derive the unencrypted values using a dictionary attack.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-5407)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a signature wrapping issue during SAML response validation when using the "spring-security-saml2-service-provider" component. A remote authenticated attacker can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

Remediation

Install update from vendor's website.

References

• https://tanzu.vmware.com/security/cve-2020-5408
• https://github.com/spring-projects/spring-security/issues/8317
• https://github.com/spring-projects/spring-security/commit/d1909ec9c8844cfa6b63bab5c2591f14d714ef6b
• https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204
• https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3E
• https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3E
• https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3E
• https://tanzu.vmware.com/security/cve-2020-5407
• https://github.com/spring-projects/spring-security/tree/5.2.3.RELEASE/samples/boot/saml2login
• https://docs.spring.io/spring-security/site/docs/5.2.3.RELEASE/reference/html5/#saml2