Major flaw in Java-based Spring Framework allows remote-code execution by attackers

There's a major flaw in the Java-based Spring Framework open-source development code that allows remote-code execution by attackers against applications built with it, according to the security firm which identified the flaw.

NEWS: Rogue clouds giving IT staffs nightmares

"It allows attackers to inject code," says Jeff Williams, CEO at Aspect Security, whose researchers found the weakness in what's called the "expression language" function in the Spring Framework development code.

Williams says Aspect Security has been working closely with the Spring Framework open-source community to address the issue, but so far the vulnerability related to what's being called "remote code with expression-language injection" isn't something that seems to easily lend itself to a quick patch. So instead, software developers whose applications build on Spring could be at risk and are advised to turn off the expression-language feature.

Spring will likely disable the expression-language feature by default in the next version, says Williams, but for now the vulnerability, if exploited by an attacker, could lead to the complete compromise of the application build with it. "It's very dangerous," Williams says. "They could completely take over a Web application and run their code on the server."

While it's not known exactly how many Spring-developed applications are vulnerable to this remote-code with expression-language injection attack, Sonatype, the operator of the Central Repository, which provides open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework have been downloaded by more than 22,000 organizations worldwide, according to Aspect Security.

While the vulnerability that Aspect Security uncovered is not "trivial to exploit," acknowledged Williams, he has no doubt that determined attackers will do so. He also noted that the Spring Framework code vulnerability made public this week has no connection whatsoever to issues recently identified in clientside in-the-browser use of Java.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Tags: security, Java; Spring Framework; remote-code with expression language injection, software

The risks of sticking with Windows XP

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Email Gateway

Clearswift SECURE Email Gateway is an effective and resilient email gateway for 50 to 50,000 users.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.