Is Spring Cloud Services Impacted by Spring Config Server's CVE-2020-5410
Article ID: 297124
Updated On:
Products
Support Only for Spring
Issue/Introduction
The open source Spring Cloud Config project, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
This was reported in an announcement via the Tanzu Security channel.
The Tanzu Spring Cloud Services offering is a commercial product which includes Spring Cloud Config server. This article covers which versions of SCS are impacted by the CVE and provides directions on how to proceed with mitigation.
This was reported in an announcement via the Tanzu Security channel.
The Tanzu Spring Cloud Services offering is a commercial product which includes Spring Cloud Config server. This article covers which versions of SCS are impacted by the CVE and provides directions on how to proceed with mitigation.
Resolution
Spring Cloud Services versions 3.1.0 through 3.1.11 include versions of Spring Cloud Config Server which are impacted by CVE-2020-5410. In addition, all versions of Spring Cloud Service 3.0 and 2.1, as well as older no longer supported versions of the product also ship versions of Spring Cloud Config server which are impacted by CVE-2020-5410.
If you are running an impacted version of SCS version 3.1, you may upgrade to 3.1.12+ to resolve this issue. Starting in 3.1.12, SCS includes version 2.2.3 of Spring Cloud Config Server which has a fix for CVE-2020-5410. Once you upgrade it is absolutely critical that you also upgrade all instances of Spring Cloud Config server that have been deployed by SCS. This is required so that individual service instances are recreated using the patched code. Please see the upgrade instructions here for details on how to upgrade individual service instances.
As of the published date of this KB, the version branches for 2.1.x and 3.0.x are not planned to receive updates with patched versions of Spring Cloud Config Server.
If you are running a version of SCS which does not have a patch for CVE-2020-5410, you are likely still fine. As is indicated in the CVE announcement, Spring Cloud Config Server when secured with Spring Security can be an effective mitigation as it limits the vulnerability to only those with credentials. Since Spring Cloud Services has always deployed Spring Cloud Config server instances with Spring Security (tied into UAA) enabled, even older unpatched versions of SCS will still be relatively safe, as this means only someone with valid credentials could perform this attack.
If you are on an impacted version and unable to upgrade to SCS 3.1.12+, VMware Support recommends that you review the situation with your company's Security team and confirm if the mitigation of having Spring Security enabled is sufficient for your needs.
If you have additional questions or require additional information, please open a VMware Support ticket.
If you are running an impacted version of SCS version 3.1, you may upgrade to 3.1.12+ to resolve this issue. Starting in 3.1.12, SCS includes version 2.2.3 of Spring Cloud Config Server which has a fix for CVE-2020-5410. Once you upgrade it is absolutely critical that you also upgrade all instances of Spring Cloud Config server that have been deployed by SCS. This is required so that individual service instances are recreated using the patched code. Please see the upgrade instructions here for details on how to upgrade individual service instances.
As of the published date of this KB, the version branches for 2.1.x and 3.0.x are not planned to receive updates with patched versions of Spring Cloud Config Server.
If you are running a version of SCS which does not have a patch for CVE-2020-5410, you are likely still fine. As is indicated in the CVE announcement, Spring Cloud Config Server when secured with Spring Security can be an effective mitigation as it limits the vulnerability to only those with credentials. Since Spring Cloud Services has always deployed Spring Cloud Config server instances with Spring Security (tied into UAA) enabled, even older unpatched versions of SCS will still be relatively safe, as this means only someone with valid credentials could perform this attack.
If you are on an impacted version and unable to upgrade to SCS 3.1.12+, VMware Support recommends that you review the situation with your company's Security team and confirm if the mitigation of having Spring Security enabled is sufficient for your needs.
If you have additional questions or require additional information, please open a VMware Support ticket.
Feedback
Yes
No
Powered by
