#VU88954 Configuration in Pivotal Spring Framework - CVE-2011-2730


Vulnerability identifier: #VU88954

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-2730

CWE-ID: CWE-16

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pivotal Spring Framework
Server applications / Frameworks for developing and running applications

Vendor: Pivotal

Description

The issue may allow a local user to bypass implemented security restrictions.

The issue exists due to the possibility to bypass implemented security restrictions, related to secure boot. it was addressed by rebuilding the package with the new secure boot key.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pivotal Spring Framework: before 2.5.6.SEC03, 2.5.7.SR023, 3.0.6, 2.5.6.SEC03, 2.5.6.SEC03


External links
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
https://rhn.redhat.com/errata/RHSA-2013-0191.html
https://rhn.redhat.com/errata/RHSA-2013-0192.html
https://rhn.redhat.com/errata/RHSA-2013-0193.html
https://rhn.redhat.com/errata/RHSA-2013-0194.html
https://rhn.redhat.com/errata/RHSA-2013-0195.html
https://rhn.redhat.com/errata/RHSA-2013-0196.html
https://rhn.redhat.com/errata/RHSA-2013-0197.html
https://rhn.redhat.com/errata/RHSA-2013-0198.html
https://rhn.redhat.com/errata/RHSA-2013-0221.html
https://rhn.redhat.com/errata/RHSA-2013-0533.html
https://secunia.com/advisories/51984
https://secunia.com/advisories/52054
https://secunia.com/advisories/55155
https://support.springsource.com/security/cve-2011-2730
https://www.debian.org/security/2012/dsa-2504
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securitytracker.com/id/1029151
https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability