Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

CVE-2011-2731: Spring Security privilege escalation when using RunAsManager
From: s2-security <s2-security () vmware com>
Date: Fri, 9 Sep 2011 01:41:03 -0700

CVE-2011-2731: Spring Security privilege escalation when using RunAsManager

Severity: Moderate

Versions Affected:
2.0.0 to 2.0.6
3.0.0 to 3.0.5
Earlier versions may also be affected

Description:
Spring Security provides a mechanism (RunAsManager) to allow particular operations to run with a different set of 
privileges than the predefined user. The implementation contains a race condition whereby the escalated privileges 
could also be used in a different invocation in another thread.

Example:
If the RunAsManager returns an Authentication object for the current invocation, the security interceptor will 
temporarily store this in the security context for the duration of the invocation. This authentication object would be 
shared with other concurrently executing threads, leading to a possible escalation of privileges in those threads.

Mitigation:
If you are not using a RunAsManager implementation, then you are not affected by this issue.
All users may mitigate this issue by upgrading to 3.0.6
Users of 2.0.x may upgrade to 2.0.7

Fix:
This issue was fixed by ensuring that the a new thread-local security context is created during run-as replacement and 
the temporary authentication token copied to it.

Credit:
The issue was discovered by Rob Winch.

History:
2011-09-09: Original advisory

References:
[1] http://www.springsource.com/security/cve-2011-2731
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • CVE-2011-2731: Spring Security privilege escalation when using RunAsManager s2-security (Sep 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault