CVE-2020-5413: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Affected

24 ranges

Vendor	Product	Version range	Fixed in
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_virtual_account_management	—	—
oracle	banking_virtual_account_management	—	—
oracle	banking_virtual_account_management	—	—
oracle	flexcube_private_banking	—	—
oracle	flexcube_private_banking	—	—
oracle	retail_customer_management_and_segmentation_foundation	16.0 – 19.0	—
oracle	retail_merchandising_system	—	—
spring_by_vmware	spring_integration	>= 4.3 < v4.3.23.RELEASE	v4.3.23.RELEASE
spring_by_vmware	spring_integration	>= 5.1 < v5.1.12.RELEASE	v5.1.12.RELEASE
spring_by_vmware	spring_integration	>= 5.2 < v5.2.8.RELEASE	v5.2.8.RELEASE
spring_by_vmware	spring_integration	>= 5.3 < v5.3.2.RELEASE	v5.3.2.RELEASE
vmware	spring_integration	4.3.0 – 4.3.22	—
vmware	spring_integration	5.1.0 – 5.1.11	—
vmware	spring_integration	5.2.0 – 5.2.7	—
vmware	spring_integration	5.3.0 – 5.3.1	—