Multiple vulnerabilities in VMware Spring Security
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-5408 CVE-2020-5407 |
| CWE-ID | CWE-330 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Spring Security Server applications / Frameworks for developing and running applications |
| Vendor | VMware, Inc |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Use of insufficiently random values
EUVDB-ID: #VU28463
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-5408
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A remote authenticated attacker can derive the unencrypted values using a dictionary attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpring Security: 4.2.0 - 5.3.1
CPE2.3- cpe:2.3:a:vmware:spring_security:4.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:5.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:5.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_security:5.3.1:*:*:*:*:*:*:*
https://tanzu.vmware.com/security/cve-2020-5408
https://github.com/spring-projects/spring-security/issues/8317
https://github.com/spring-projects/spring-security/commit/d1909ec9c8844cfa6b63bab5c2591f14d714ef6b
https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU28464
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-5407
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a signature wrapping issue during SAML response validation when using the "spring-security-saml2-service-provider" component. A remote authenticated attacker can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSpring Security: 5.2.0 - 5.3.1
CPE2.3https://lists.apache.org/thread.html/r73af928cf64bebf78b7fa4bc56a5253273ec7829f5f5827f64c72fc7@%3Cissues.servicemix.apache.org%3E
https://lists.apache.org/thread.html/ra19a4e7236877fe12bfb52db07b27ad72d9e7a9f5e27bba7e928e18a@%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rd99601fbca514f214f88f9e53fd5be3cfbff05b350c994b4ec2e184c@%3Cdev.geode.apache.org%3E
https://tanzu.vmware.com/security/cve-2020-5407
https://github.com/spring-projects/spring-security/tree/5.2.3.RELEASE/samples/boot/saml2login
https://docs.spring.io/spring-security/site/docs/5.2.3.RELEASE/reference/html5/#saml2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
