A remote code execution vulnerability (CVE-2017-8046) in Pivotal's very popular Spring Framework was disclosed last week by the team at lgtm, although the original vulnerability dates back 7 months to late 2017.
Sonatype will provide continuous updates on this vulnerability in this blog throughout the day. Please check back here for more updates as we post them.
A remote code execution vulnerability was discovered in 2017 in the Spring Data REST and Spring Boot components. Users of Sonatype's Nexus platform were informed of the vulnerability immediately following the September 2017 disclosure, enabling them to take immediate remediation actions.
Here is a sample of the vulnerability identification within Sonatype's Nexus platform powered by the IQ Server. This not only allows for identification of the vulnerability, but immediate identification of the safe component versions available for team's to use.
How Popular is Spring Boot?
The Spring Boot vulnerability is extremely popular among web developers. The chart from ZeroTurnaround's Rebel Labs survey below illustrates the widespread adoption of the Spring component.
Sonatype's VP and DevOps Advocate, Derek Weeks posted an update on Facebook Live this morning discussing the Spring Boot and Spring Data RCE vulnerability. Derek also spoke of the importance of fast feedback loops in DevSecOps pipelines, noting that it is important for development teams to have automated access to the vulnerability disclosure details and the safe remediation paths available.
To help development teams not currently using our Nexus platform identify Spring Boot, Spring Data and other vulnerabilities in their applications, Sonatype offers a free service called Application Health Check (AHC). AHC can analyze applications within seconds, pointing out any known vulnerabilities or open source license risks within an application.
Those interested in using the free AHC service today, can find it here.
Sonatype's Director of Solutions Architecture, Ilkka Turunen, has posted a 7-minute video demonstrating how users of our Nexus platform can identify and remediate the RCE vulnerability in Spring Boot (CVE-2017-8046).