Security Announcement on CVE-2016-1000027

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 06 March 2023, 9:00 AM CET

Pivotal's Spring Framework contains an unsafe Java deserialization vulnerability. If the Spring Framework library's HttpInvokerServiceExporter is being used to deserialize client data, it may be possible for a remote attacker to perform remote code execution (RCE) on systems using Spring Framework. The vendor has published a warning advising developers on the dangers that come with deserializing untrusted input to versions older than 6. Furthermore, the deserialization functionality was removed from Spring Framework in version 6 as a breaking change.

After our risk assessment, none of the components in all product lines are using the HttpInvokerServiceExporter and therefore are not affected by this CVE.

Navigation

Navigate through the help pages using the table of contents on the left. If it is not displayed when the window width is small, you can temporarily show it via the hamburger menu on the right.

Use the arrows on the toolbar to navigate to the next/previous page.

You can show hidden areas. Use the toolbar to show all hidden areas at once:

Clicking the product icon in the header returns you to the beginning of the current area. Use the toolbar to access the initial page: