Vulnerability of VMware Spring Framework: privilege escalation via RFD Protection Bypass

Synthesis of the vulnerability

An attacker can bypass restrictions via RFD Protection Bypass of VMware Spring Framework, in order to escalate his privileges.

Vulnerable software: Unisphere EMC, QRadar SIEM, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle OIT, WebLogic, Percona Server, Spring Framework.

Severity of this announce: 2/4.

Creation date: 17/09/2020.

Références of this computer vulnerability: 6408868, cpujan2021, CVE-2020-5421, DSA-2021-063, VIGILANCE-VUL-33361.

Description of the vulnerability

An attacker can bypass restrictions via RFD Protection Bypass of VMware Spring Framework, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat note impacts software or systems such as Unisphere EMC, QRadar SIEM, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle OIT, WebLogic, Percona Server, Spring Framework.

Our Vigil@nce team determined that the severity of this cybersecurity note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this vulnerability note.

Solutions for this threat

VMware Spring Framework: version 5.2.9.
The version 5.2.9 is fixed:
https://tanzu.vmware.com/spring-app-framework

VMware Spring Framework: version 5.1.18.
The version 5.1.18 is fixed:
https://tanzu.vmware.com/spring-app-framework

VMware Spring Framework: version 5.0.19.
The version 5.0.19 is fixed:
https://tanzu.vmware.com/spring-app-framework

VMware Spring Framework: version 4.3.29.
The version 4.3.29 is fixed:
https://tanzu.vmware.com/spring-app-framework

Spring Boot: version 2.3.4.
The version 2.3.4 is fixed:
https://spring.io/projects/spring-boot

Spring Boot: version 2.2.10.
The version 2.2.10 is fixed:
https://spring.io/projects/spring-boot

Spring Boot: version 2.1.17.
The version 2.1.17 is fixed:
https://spring.io/projects/spring-boot

Dell Unisphere for PowerMax: version 9.2.1.6.
The version 9.2.1.6 is fixed:
https://www.dell.com/support/home/fr-fr

IBM QRadar SIEM: solution for Spring Framework.
The solution is indicated in information sources.

MariaDB: versions 10.2.37, 10.3.28, 10.4.18 and 10.5.9.
Versions 10.2.37, 10.3.28, 10.4.18 and 10.5.9 are fixed:
https://mariadb.com/

Oracle Fusion Middleware: CPU of January 2021.
A Critical Patch Update is available:
https://www.oracle.com/security-alerts/cpujan2021.html

Oracle MySQL: version 5.6.51.
The version 5.6.51 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.33.
The version 5.7.33 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.23.
The version 8.0.23 is fixed:
  https://support.oracle.com/rs?type=doc&id=2739278.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Percona Server: version 5.6.51-91.0.
The version 5.6.51-91.0 is fixed:
https://www.percona.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability watch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.