VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 4, 2011· Updated Apr 29, 2026

CVE-2011-2894

CVE-2011-2894

Description

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-coreMaven
>= 3.0.0, < 3.0.63.0.6
org.springframework.security:spring-security-coreMaven
>= 3.0.0, < 3.0.63.0.6
org.springframework.security:spring-security-coreMaven
>= 2.0.0, < 2.0.72.0.7

Affected products

2

Patches

1
070a723ef2c8

added "acceptProxyClasses" flag to RemoteInvocationSerializingExporter

https://github.com/spring-projects/spring-frameworkJuergen HoellerJul 21, 2011via ghsa
commit
3 files changed · +62 8
  • org.springframework.context/src/main/java/org/springframework/remoting/rmi/CodebaseAwareObjectInputStream.java+19 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -57,7 +57,7 @@ public class CodebaseAwareObjectInputStream extends ConfigurableObjectInputStrea
 
 	/**
 	 * Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
-	 * @param	in the InputStream to read from
+	 * @param in the InputStream to read from
 	 * @param codebaseUrl the codebase URL to load classes from if not found locally
 	 * (can consist of multiple URLs, separated by spaces)
 	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
@@ -68,7 +68,7 @@ public CodebaseAwareObjectInputStream(InputStream in, String codebaseUrl) throws
 
 	/**
 	 * Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
-	 * @param	in the InputStream to read from
+	 * @param in the InputStream to read from
 	 * @param classLoader the ClassLoader to use for loading local classes
 	 * (may be <code>null</code> to indicate RMI's default ClassLoader)
 	 * @param codebaseUrl the codebase URL to load classes from if not found locally
@@ -82,6 +82,22 @@ public CodebaseAwareObjectInputStream(
 		this.codebaseUrl = codebaseUrl;
 	}
 
+	/**
+	 * Create a new CodebaseAwareObjectInputStream for the given InputStream and codebase.
+	 * @param in the InputStream to read from
+	 * @param classLoader the ClassLoader to use for loading local classes
+	 * (may be <code>null</code> to indicate RMI's default ClassLoader)
+	 * @param acceptProxyClasses whether to accept deserialization of proxy classes
+	 * (may be deactivated as a security measure)
+	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
+	 */
+	public CodebaseAwareObjectInputStream(
+			InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException {
+
+		super(in, classLoader, acceptProxyClasses);
+		this.codebaseUrl = null;
+	}
+
 
 	@Override
 	protected Class resolveFallbackIfPossible(String className, ClassNotFoundException ex)
  • org.springframework.context/src/main/java/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java+20 3 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -57,6 +57,8 @@ public abstract class RemoteInvocationSerializingExporter extends RemoteInvocati
 
 	private String contentType = CONTENT_TYPE_SERIALIZED_OBJECT;
 
+	private boolean acceptProxyClasses = true;
+
 	private Object proxy;
 
 
@@ -70,12 +72,27 @@ public void setContentType(String contentType) {
 	}
 
 	/**
-	 * Return the content type to use for sending remote invocation  responses.
+	 * Return the content type to use for sending remote invocation responses.
 	 */
 	public String getContentType() {
 		return this.contentType;
 	}
 
+	/**
+	 * Set whether to accept deserialization of proxy classes.
+	 * <p>Default is "true". May be deactivated as a security measure.
+	 */
+	public void setAcceptProxyClasses(boolean acceptProxyClasses) {
+		this.acceptProxyClasses = acceptProxyClasses;
+	}
+
+	/**
+	 * Return whether to accept deserialization of proxy classes.
+	 */
+	public boolean isAcceptProxyClasses() {
+		return this.acceptProxyClasses;
+	}
+
 
 	public void afterPropertiesSet() {
 		prepare();
@@ -102,7 +119,7 @@ protected final Object getProxy() {
 	 * @throws java.io.IOException if creation of the ObjectInputStream failed
 	 */
 	protected ObjectInputStream createObjectInputStream(InputStream is) throws IOException {
-		return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), null);
+		return new CodebaseAwareObjectInputStream(is, getBeanClassLoader(), isAcceptProxyClasses());
 	}
 
 	/**
  • org.springframework.core/src/main/java/org/springframework/core/ConfigurableObjectInputStream.java+23 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 the original author or authors.
+ * Copyright 2002-2011 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.NotSerializableException;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 import java.lang.reflect.Proxy;
@@ -36,16 +37,33 @@ public class ConfigurableObjectInputStream extends ObjectInputStream {
 
 	private final ClassLoader classLoader;
 
+	private final boolean acceptProxyClasses;
+
 
 	/**
 	 * Create a new ConfigurableObjectInputStream for the given InputStream and ClassLoader.
-	 * @param	in the InputStream to read from
+	 * @param in the InputStream to read from
 	 * @param classLoader the ClassLoader to use for loading local classes
 	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
 	 */
 	public ConfigurableObjectInputStream(InputStream in, ClassLoader classLoader) throws IOException {
+		this(in, classLoader, true);
+	}
+
+	/**
+	 * Create a new ConfigurableObjectInputStream for the given InputStream and ClassLoader.
+	 * @param in the InputStream to read from
+	 * @param classLoader the ClassLoader to use for loading local classes
+	 * @param acceptProxyClasses whether to accept deserialization of proxy classes
+	 * (may be deactivated as a security measure)
+	 * @see java.io.ObjectInputStream#ObjectInputStream(java.io.InputStream)
+	 */
+	public ConfigurableObjectInputStream(
+			InputStream in, ClassLoader classLoader, boolean acceptProxyClasses) throws IOException {
+
 		super(in);
 		this.classLoader = classLoader;
+		this.acceptProxyClasses = acceptProxyClasses;
 	}
 
 
@@ -68,6 +86,9 @@ protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, Cl
 
 	@Override
 	protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
+		if (!this.acceptProxyClasses) {
+			throw new NotSerializableException("Not allowed to accept serialized proxy classes");
+		}
 		if (this.classLoader != null) {
 			// Use the specified ClassLoader to resolve local proxy classes.
 			Class[] resolvedInterfaces = new Class[interfaces.length];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.