Vulnerability Description
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Framework | >= 4.2.0, < 4.3.20 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Communications Brm - Elastic Charging Engine | 11.3 |
| Oracle | Communications Converged Application Server - Service Controller | 6.0 |
| Oracle | Communications Diameter Signaling Router | 8.0.0 |
| Oracle | Communications Element Manager | 8.1.1 |
| Oracle | Communications Online Mediation Controller | 6.1 |
| Oracle | Communications Session Report Manager | 8.0.0 |
| Oracle | Communications Session Route Manager | 8.0.0 |
| Oracle | Communications Unified Inventory Management | 7.3 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Manager For Fusion Applications | 13.3.0.0 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.2, <= 8.0.8 |
| Oracle | Flexcube Private Banking | 12.0.1 |
| Oracle | Goldengate Application Adapters | 12.3.2.1.0 |
| Oracle | Healthcare Master Person Index | 3.0 |
| Oracle | Identity Manager Connector | 9.0 |
| Oracle | Insurance Calculation Engine | 9.7 |
| Oracle | Insurance Policy Administration J2Ee | 10.0 |
References
- http://www.securityfocus.com/bid/105703Third Party AdvisoryVDB EntryURL Repurposed
- https://lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b105
- https://lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d
- https://lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69
- https://lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e
- https://lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cf
- https://lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c0624
- https://lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee2910
- https://lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e6
- https://lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00
- https://lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlMailing ListThird Party Advisory
- https://pivotal.io/security/cve-2018-15756Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-15756?
CVE-2018-15756 is a vulnerability with a CVSS score of 7.5 (HIGH). Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static...
How severe is CVE-2018-15756?
CVE-2018-15756 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-15756?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Oracle Agile Plm, Oracle Communications Brm - Elastic Charging Engine, Oracle Communications Converged Application Server - Service Controller, Oracle Communications Diameter Signaling Router.