Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
• https://security-tracker.debian.org/tracker/CVE-2016-1000027
• https://www.tenable.com/security/research/tra-2016-20
• spring-projects/spring-framework#24434
• spring-projects/spring-framework#24434 (comment)
• spring-projects/spring-framework@5cbe90b
• https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027
• spring-projects/spring-framework#21680
• spring-projects/spring-framework@2b051b8
• https://jira.spring.io/browse/SPR-17143?redirect=false
• spring-projects/spring-framework#24434 (comment)
• spring-projects/spring-framework#24434 (comment)
• spring-projects/spring-framework#24434 (comment)
• https://security.netapp.com/advisory/ntap-20230420-0009/
• https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now