CVE-2018-1270 Remote Code Execution with spring-messaging vulnerability in Advanced Authentication
search cancel

CVE-2018-1270 Remote Code Execution with spring-messaging vulnerability in Advanced Authentication

book

Article ID: 270500

calendar_today

Updated On: 01-22-2025

Products

CA Advanced Authentication - Risk Authentication (RiskMinder / RiskFort) CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Advanced Authentication CA Strong Authentication CA Risk Authentication

Issue/Introduction

CVE-2018-1270 - 'Remote Code Execution with spring-messaging' vulnerability in Risk Authentication REST API component.

In AA 9.1SP2 (aka 9.1.02), Spring libraries version 4.3.4 are used, which makes it vulnerable to CVE-2018-1270.

Please refer to this link for CVE-2018-1270 - https://nvd.nist.gov/vuln/detail/CVE-2018-1270.

Environment

Advanced Authentication 9.1 SP2 (aka 9.1.02)

Cause

As per 'CVE-2018-1270 - Remote Code Execution with spring-messaging' vulnerability, Spring Framework versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP (Streaming Text Oriented Message Protocol) over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

In AA 9.1SP2, Spring libraries version 4.3.4 are used, which makes it vulnerable.

Resolution

In AA 9.1 SP5 (aka 9.1.05), multiple third-party libraries are updated to address potential security vulnerabilities, including Spring Framework 5.3.29. 

The Advanced Authentication Product Management recommends upgrading AA to the latest version 9.1SP5 to mitigate the security vulnerabilities called by NIST via CVE-2018-1270.

Additional Information