Security Experts:

Remote Execution Flaws a Risk to Spring Framework Applications

Steps Must be Taken To Protect From Expression Language Injection Vulnerabilities On Applications Built on The Spring Framework

Another Web framework, another flaw. Just days after Ruby on Rails maintainers closed bugs in the popular Web framework, researchers highlighted a remote injection vulnerability in the Spring Framework and associated problems that went along with it.

The Spring Framework provides a "programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform," as explained on project's website.

Spring FrameworkThe Expression Language vulnerability in Spring is "significant" as it allows attackers to remotely execute code and take over the targeted host, Aspect Security said today. Spring is an open-source framework used by many Java developers in building business-critical applications. Once an attacker successfully exploits this security flaw, the enterprise "loses control of the business systems" that had been built on the framework, Aspect Security said.

The vulnerability was discovered nearly 20 months ago and fixed in the latest version of Spring, released by VMware. However, while the initial remote code with expression language injection bug appeared to be resolved, Dan Amodio, an engineer with Aspect Security, uncovered additional issues that "elevate the severity of the flaw," the company said.

"The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure," Amodio said in a statement. It appears that developers can inadvertently introduce the flaw into their Spring applications fairly easily just by following "fairly common coding patterns," Jeff Williams, CEO of Aspect Security, told SecurityWeek.

"A successful attack will leave little evidence, although careful log scrutiny might turn up evidence of attempted attacks," Williams said.

"It's difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution," said Amodio. The fix will not "turn off" the vulnerability automatically; rather it makes it harder to enable double Expression Language resolution in future releases.

More than 1.3 million vulnerable instances of the Spring Framework have been downloaded by more than 22,000 organizations worldwide, according to figures Aspect Security obtained from Sonatype, the operator behind open-source repository Central Repository. Williams said there was no way to tell at this time whether the vulnerability has been exploited. Aspect is "hopeful" that the flaw was discovered and patched early enough to prevent serious attacks.

"Remote code execution flaws are the worst of the worst," Williams said.

Attackers can trigger the vulnerability to run arbitrary code on the targeted host. The malicious code can access, modify, or delete any information being processed within the Spring application, Attackers can also run code which can steal the source code to look for database credentials, and use the information to access the back-end databases directly, Williams said. With this kind of control over the application server, there is no reason they wouldn't be able to run other attack programs directly on the system.

Expression Language injection is the result of new techniques which make it possible for developers to generate powerful custom user interfaces by accessing powerful methods directly from the user interface code, Aspect Security said. As applications get more powerful and user interface languages evolve, this type of vulnerability is likely to crop up with more frequency.

Many organizations are still using outdated components with unpatched security holes when building their applications, even when there are newer versions available, Aspect Security said. This practice introduces serious issues into the final product. It was important that organizations use up-to-date components to build mission-critical applications that are not riddled with security flaws, Aspect Security said.

Related Reading: Ruby on Rails Vulnerabilities and System Hardening

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.