lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <C19FEA98C0D18F42B912AB73384528C2187268012D@exch-pub-pd03.vmware.com> Date: Fri, 9 Sep 2011 01:41:03 -0700 From: s2-security <s2-security@...are.com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: CVE-2011-2731: Spring Security privilege escalation when using RunAsManager CVE-2011-2731: Spring Security privilege escalation when using RunAsManager Severity: Moderate Versions Affected: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Spring Security provides a mechanism (RunAsManager) to allow particular operations to run with a different set of privileges than the predefined user. The implementation contains a race condition whereby the escalated privileges could also be used in a different invocation in another thread. Example: If the RunAsManager returns an Authentication object for the current invocation, the security interceptor will temporarily store this in the security context for the duration of the invocation. This authentication object would be shared with other concurrently executing threads, leading to a possible escalation of privileges in those threads. Mitigation: If you are not using a RunAsManager implementation, then you are not affected by this issue. All users may mitigate this issue by upgrading to 3.0.6 Users of 2.0.x may upgrade to 2.0.7 Fix: This issue was fixed by ensuring that the a new thread-local security context is created during run-as replacement and the temporary authentication token copied to it. Credit: The issue was discovered by Rob Winch. History: 2011-09-09: Original advisory References: [1] http://www.springsource.com/security/cve-2011-2731 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists