Security Announcement on CVE-2016-1000027

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 06 March 2023, 9:00 AM CET

Pivotal's Spring Framework contains an unsafe Java deserialization vulnerability. If the Spring Framework library's HttpInvokerServiceExporter is being used to deserialize client data, it may be possible for a remote attacker to perform remote code execution (RCE) on systems using Spring Framework. The vendor has published a warning advising developers on the dangers that come with deserializing untrusted input to versions older than 6. Furthermore, the deserialization functionality was removed from Spring Framework in version 6 as a breaking change.

After our risk assessment, none of the components in all product lines are using the HttpInvokerServiceExporter and therefore are not affected by this CVE.