CVE-2020-5413

31.07.2020, 20:15

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
pivotal	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 83%

Vendor	Product	Version
vmware	spring_integration	4.3.0 ≤ 𝑥 ≤ 4.3.22
vmware	spring_integration	5.1.0 ≤ 𝑥 ≤ 5.1.11
vmware	spring_integration	5.2.0 ≤ 𝑥 ≤ 5.2.7
vmware	spring_integration	5.3.0 ≤ 𝑥 ≤ 5.3.1
oracle	banking_corporate_lending_process_management	14.2.0
oracle	banking_corporate_lending_process_management	14.3.0
oracle	banking_corporate_lending_process_management	14.5.0
oracle	banking_credit_facilities_process_management	14.2.0
oracle	banking_credit_facilities_process_management	14.3.0
oracle	banking_credit_facilities_process_management	14.5.0
oracle	banking_supply_chain_finance	14.2.0
oracle	banking_supply_chain_finance	14.3.0
oracle	banking_supply_chain_finance	14.5.0
oracle	banking_virtual_account_management	14.2.0
oracle	banking_virtual_account_management	14.3.0
oracle	banking_virtual_account_management	14.5.0
oracle	flexcube_private_banking	12.0.0
oracle	flexcube_private_banking	12.1.0
oracle	retail_customer_management_and_segmentation_foundation	16.0 ≤ 𝑥 ≤ 19.0
oracle	retail_merchandising_system	16.0.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://tanzu.vmware.com/security/cve-2020-5413

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://tanzu.vmware.com/security/cve-2020-5413

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html