Security Bulletin: ARender is not vulnerable to CVE-2022-42889 (Spring Web library)
- Admin
- 04 Jun, 2024
Security Bulletin
This security bulletin provides an important update regarding a recently detected vulnerability in ARender.
The latest developments and security measures related to ARender can be found on the technical blog at https://hub.arender.io/technical-blog.
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data.
Depending on how the library is implemented within a product, this issue may or may not occur, and authentication may be required.
The org.springframework:spring-web package is vulnerable to the deserialization of untrusted data leading to Remote Code Execution (RCE). The readRemoteInvocation method in HttpInvokerServiceExporter.class does not properly verify or restrict untrusted objects before deserializing them. An attacker can exploit this vulnerability by sending malicious requests containing crafted objects, which execute arbitrary code on the vulnerable system when deserialized.
Impact on ARender
ARender does not use Http Invoker (HTTPInvokerServiceExporter & RemoteInvocationSerializingExporter) for Java deserialization.
ARender is not affected by this vulnerability.
Links
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027https://www.opencve.io/cve/CVE-2016-1000027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027
https://github.com/spring-projects/spring-framework/issues/24434