First published: Mon Apr 09 2018(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2018-1270">CVE-2018-1270</a>, which permitted a malicious user to craft a STOMP message that could lead to remote code execution, was not fully addressed in the 4.3.x branch of the Spring Framework.
Credit: security_alert@emc.com security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM GDE | <=3.0.0.2 | |
redhat/springframework | <4.3.16 | 4.3.16 |
maven/org.springframework:spring-core | >=5.0.0<5.0.5 | 5.0.5 |
maven/org.springframework:spring-core | <4.3.16 | 4.3.16 |
VMware Spring Framework | >=4.3.0<4.3.16 | |
VMware Spring Framework | >=5.0.0<5.0.5 | |
Oracle Application Testing Suite | =12.5.0.3 | |
Oracle Application Testing Suite | =13.1.0.1 | |
Oracle Application Testing Suite | =13.2.0.1 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Big Data Discovery | =1.6.0 | |
Oracle Communications Converged Application Server | <7.0.0.1 | |
Oracle Communications Diameter Signaling Router | <8.3 | |
Oracle Communications Performance Intelligence Center | <10.2.1 | |
Oracle Communications Services Gatekeeper | <6.1.0.4.0 | |
Oracle Goldengate For Big Data | =12.2.0.1 | |
Oracle Goldengate For Big Data | =12.3.1.1 | |
Oracle Goldengate For Big Data | =12.3.2.1 | |
Oracle Health Sciences Information Manager | =3.0 | |
Oracle Healthcare Master Person Index | =3.0 | |
Oracle Healthcare Master Person Index | =4.0 | |
Oracle Insurance Calculation Engine | =10.1.1 | |
Oracle Insurance Calculation Engine | =10.2 | |
Oracle Insurance Calculation Engine | =10.2.1 | |
Oracle Insurance Rules Palette | =10.0 | |
Oracle Insurance Rules Palette | =10.1 | |
Oracle Insurance Rules Palette | =10.2 | |
Oracle Insurance Rules Palette | =11.0 | |
Oracle Insurance Rules Palette | =11.1 | |
Oracle Primavera Gateway | =15.2 | |
Oracle Primavera Gateway | =16.2 | |
Oracle Primavera Gateway | =17.12 | |
Oracle Retail Customer Insights | =15.0 | |
Oracle Retail Customer Insights | =16.0 | |
Oracle Retail Open Commerce Platform | =5.3.0 | |
Oracle Retail Open Commerce Platform | =6.0.0 | |
Oracle Retail Open Commerce Platform | =6.0.1 | |
Oracle Retail Order Broker | =5.1 | |
Oracle Retail Order Broker | =5.2 | |
Oracle Retail Order Broker | =15.0 | |
Oracle Retail Order Broker | =16.0 | |
Oracle Retail Predictive Application Server | =14.0 | |
Oracle Retail Predictive Application Server | =14.1 | |
Oracle Retail Predictive Application Server | =15.0 | |
Oracle Retail Predictive Application Server | =16.0 | |
Oracle Service Architecture Leveraging Tuxedo | =12.1.3.0.0 | |
Oracle Service Architecture Leveraging Tuxedo | =12.2.2.0.0 | |
Oracle Tape Library Acsls | =8.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1275 is a vulnerability in the Pivotal Spring Framework that could allow a remote attacker to execute arbitrary code on the system.
CVE-2018-1275 has a severity rating of 9.8 (critical).
Spring Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16, as well as older unsupported versions, are affected by CVE-2018-1275.
To fix CVE-2018-1275, update your Spring Framework installation to version 5.0.5 or later if you are using version 5.x, or to version 4.3.16 or later if you are using version 4.3.
You can find more information about CVE-2018-1275 on the Red Hat security advisory page (RHSA-2018:1320) and the GitHub commit page.