Imperva Cyber Community

View Only

Back to discussions

Expand all | Collapse all

Spring Boot Eureka Xstream Deserialization RCE vulnearbility

1. Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Ken Chau
Posted 05-15-2023 09:34
Hi all,

Is there any signature in WAF to block the Spring Boot Eureka Xstream Deserialization RCE vulnearbility where attacker will send GET/POST request to the following URLs

/actuator/env
/actuator/refresh

Thank you!

#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
------------------------------
2. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Sarah Lamont
Posted 05-15-2023 11:21
Hi Ken,
I checked in with our Threat research team. Could you provide any more info such as a specific CVE code or a link to an example exploitation?

Thanks,

------------------------------
Sarah Lamont
Digital Community Manager
------------------------------

Original Message
3. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Ken Chau
Posted 05-15-2023 20:07
Hi Sarah,

You may check this Spring Boot Actuators - cheat-sheets (gitbook.io), the first part discussed how to exploit it. Thanks.

------------------------------
Ken Chau
IT Manager
------------------------------

Original Message
4. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Jagadesh Kumar R
Posted 05-16-2023 07:32
Hello Sarah & Ken,

We also observed the payload of "/actuator/health", but there's no coverage for this pattern. We have a malicious User-agent policy in that it covers.

Observed User-agent: Mozilla/5.0 zgrab/0.x

Kindly let us also knows, if any signature to cover these payload.

------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
The Karur Vysya Bank Limited
Karur
------------------------------

Original Message
5. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Sarah Lamont
Posted 05-16-2023 08:11
Hi Jagadesh,

Thanks for this. Our threat research team are looking into it and I will update you as soon as I have more info.

Many thanks,
Sarah

------------------------------
Sarah Lamont
Digital Community Manager
------------------------------

Original Message
6. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

0 Like
Sarah Lamont
Posted 05-17-2023 10:50
Hi @Ken Chau and @Jagadesh Kumar R

Our Threat Research team is still investigating this, but suggested that you use the signatures in the link below, where they can change the patterns to look for the values that are mentioned in the cheat sheet:

https://0xn3va.gitbook.io/cheat-sheets/framework/spring/spring-boot-actuators

I hope this helps for now and I will of course let you know of any updates from the team in the meantime.

Thanks,
Sarah

------------------------------
Sarah Lamont
Digital Community Manager
------------------------------

Original Message

Imperva Cyber Community

Spring Boot Eureka Xstream Deserialization RCE vulnearbility

Ken Chau05-15-2023 09:34

Sarah Lamont05-15-2023 11:21

Ken Chau05-15-2023 20:07

Jagadesh Kumar R05-16-2023 07:32

Sarah Lamont05-16-2023 08:11

Sarah Lamont05-17-2023 10:50

1. Spring Boot Eureka Xstream Deserialization RCE vulnearbility

2. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

3. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

4. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

5. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

6. RE: Spring Boot Eureka Xstream Deserialization RCE vulnearbility

Contact Us

Membership

Privacy & Terms