:
Skip Navigation
Resources Blog Remote code execution vulnerability (CVE-2017-8046) in ...

Remote code execution vulnerability (CVE-2017-8046) in Pivotal's Spring Framework

A remote code execution vulnerability (CVE-2017-8046) in Pivotal's very popular Spring Framework was disclosed last week by the team at lgtm, although the original vulnerability dates back 7 months to late 2017.  

Sonatype will provide continuous updates on this vulnerability in this blog throughout the day. Please check back here for more updates as we post them.

---

10:00am ET

A remote code execution vulnerability was discovered in 2017 in the Spring Data REST and Spring Boot components.  Users of Sonatype's Nexus platform were informed of the vulnerability immediately following the September 2017 disclosure, enabling them to take immediate remediation actions.

Here is a sample of the vulnerability identification within Sonatype's Nexus platform powered by the IQ Server.  This not only allows for identification of the vulnerability, but immediate identification of the safe component versions available for team's to use.

Screen Shot 2018-03-05 at 10.20.42 AM.png

 

How Popular is Spring Boot?

The Spring Boot vulnerability is extremely popular among web developers.  The chart from ZeroTurnaround's Rebel Labs survey below illustrates the widespread adoption of the Spring component. 

Spring useage.png

10:15am ET

Sonatype's VP and DevOps Advocate, Derek Weeks posted an update on Facebook Live this morning discussing the Spring Boot and Spring Data RCE vulnerability.  Derek also spoke of the importance of fast feedback loops in DevSecOps pipelines, noting that it is important for development teams to have automated access to the vulnerability disclosure details and the safe remediation paths available.

 

 

 

10:20am ET

To help development teams not currently using our Nexus platform identify Spring Boot, Spring Data and other vulnerabilities in their applications, Sonatype offers a free service called Application Health Check (AHC).  AHC can analyze applications within seconds, pointing out any known vulnerabilities or open source license risks within an application.

Those interested in using the free AHC service today, can find it here.

 

12:01pm ET

Sonatype's Director of Solutions Architecture, Ilkka Turunen, has posted a 7-minute video demonstrating how users of our Nexus platform can identify and remediate the RCE vulnerability in Spring Boot (CVE-2017-8046).

 Screen Shot 2018-03-05 at 12.03.35 PM.png

 

 

 

 

 

Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.