Spring Data REST RCE via PATCH requests
Description
Spring Data REST versions prior to 2.6.9 (Ingalls) and 3.0.1 (Kay) contain a remote code execution vulnerability (CVE-2017-8046) in the PATCH request handler. The vulnerability exists because the application improperly evaluates Spring Expression Language (SpEL) expressions embedded within JSON PATCH request payloads. An unauthenticated attacker can exploit this by sending a maliciously crafted PATCH request containing SpEL expressions that will be executed on the server, leading to arbitrary code execution.
Remediation
Immediately upgrade to a patched version of Spring Data REST or Spring Boot. The following releases address this vulnerability:
- Spring Data REST 2.6.9 (Ingalls SR9) or later
- Spring Data REST 3.0.1 (Kay SR1) or later
- Spring Boot 1.5.9 or later
- Spring Boot 2.0 M6 or later
If immediate patching is not possible, implement the following temporary mitigations:
- Disable PATCH request handling in Spring Data REST if not required for business functionality
- Implement strict input validation and filtering on all incoming PATCH requests
- Deploy a Web Application Firewall (WAF) with rules to detect and block SpEL injection patterns in request payloads
- Restrict network access to the affected endpoints to trusted sources only
After upgrading, verify the patch is effective by testing that SpEL expressions in PATCH requests are no longer evaluated.