CVE-2020-5413

Published: Jul 31, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Affected (20)

Products: Vmware: Spring Integration · Oracle: Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Supply Chain Finance, Banking Virtual Account Management, Flexcube Private Banking, Retail Customer Management And Segmentation Foundation, Retail Merchandising System

Vmware

1 product

Spring Integration

Oracle

7 products

Banking Corporate Lending Process Management

Banking Credit Facilities Process Management

Banking Supply Chain Finance

Banking Virtual Account Management

Flexcube Private Banking

Retail Customer Management And Segmentation Foundation

Retail Merchandising System

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Integration	From 4.3.0 to 4.3.22
Vmware Spring Integration	From 5.1.0 to 5.1.11
Vmware Spring Integration	From 5.2.0 to 5.2.7
Vmware Spring Integration	From 5.3.0 to 5.3.1

Configuration B

16 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Corporate Lending Process Management	Version 14.2.0
Oracle Banking Corporate Lending Process Management	Version 14.3.0
Oracle Banking Corporate Lending Process Management	Version 14.5.0
Oracle Banking Credit Facilities Process Management	Version 14.2.0
Oracle Banking Credit Facilities Process Management	Version 14.3.0
Oracle Banking Credit Facilities Process Management	Version 14.5.0
Oracle Banking Supply Chain Finance	Version 14.2.0
Oracle Banking Supply Chain Finance	Version 14.3.0
Oracle Banking Supply Chain Finance	Version 14.5.0
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Flexcube Private Banking	Version 12.0.0
Oracle Flexcube Private Banking	Version 12.1.0
Oracle Retail Customer Management And Segmentation Foundation	From 16.0 to 19.0
Oracle Retail Merchandising System	Version 16.0.3