HeroDevs

CVE-2016-1000027 Resolution

Information on the resolution of CVE-2016-1000027 in NES for Spring

CVE-2016-1000027 Resolution

This CVE does not impact Spring Framework itself. However, certain versions of the framework include RPC-style remote communication support (including HTTP Invoker), which allows developers to write custom application code that may be vulnerable to Remote Code Execution as outlined in the CVE.

Removing the feature from spring-web artifact, might break existing non-vulnerable applications that rely on this functionality. Therefore, the NES for Spring does not remove the HTTP Invoker feature from the spring-web artifact.

As of release nes-v5.3.27 spring-web artifact will include a new jar under the classifier no-remoting. This jar will not include the HTTP Invoker feature, and it is intended for applications that do not use this functionality. The spring-web artifact will continue to include the HTTP Invoker feature for backward compatibility.

How to Use the no-remoting Classifier

Use the no-remoting classifier to exclude the HTTP Invoker feature from your application. This is particularly useful if you are certain that your application does not use this functionality and you want to avoid any potential security risks associated with it.

You will need to exclude the spring-web dependency from your project and add the spring-web with the no-remoting classifier instead.

Gradle example:

implementation('org.springframework.boot:spring-boot-starter-web') {
  exclude group: "org.springframework", module: "spring-web"
}
implementation group: 'org.springframework', name: 'spring-web', classifier: 'no-remoting'

Maven example:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
  <exclusions>
    <exclusion>
      <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
    </exclusion>
  </exclusions>
</dependency>
<dependency>
  <groupId>org.springframework</groupId>
  <artifactId>spring-web</artifactId>
  <classifier>no-remoting</classifier>
</dependency>

Additional Information

You can read more about the CVE and its implications in the CVE-2016-1000027 vulnerability entry.

Example application using the no-remoting classifier can be found in the sample-spring-boot-2-7-no-remoting

Group ID Change
Upgrade path for group id changes
Previous Article
All Projects
Next Article