Connect with us

Hi, what are you looking for?



Remote Execution Flaws a Risk to Spring Framework Applications

Steps Must be Taken To Protect From Expression Language Injection Vulnerabilities On Applications Built on The Spring Framework

Steps Must be Taken To Protect From Expression Language Injection Vulnerabilities On Applications Built on The Spring Framework

Another Web framework, another flaw. Just days after Ruby on Rails maintainers closed bugs in the popular Web framework, researchers highlighted a remote injection vulnerability in the Spring Framework and associated problems that went along with it.

The Spring Framework provides a “programming and configuration model for modern Java-based enterprise applications – on any kind of deployment platform,” as explained on project’s website.

Spring FrameworkThe Expression Language vulnerability in Spring is “significant” as it allows attackers to remotely execute code and take over the targeted host, Aspect Security said today. Spring is an open-source framework used by many Java developers in building business-critical applications. Once an attacker successfully exploits this security flaw, the enterprise “loses control of the business systems” that had been built on the framework, Aspect Security said.

The vulnerability was discovered nearly 20 months ago and fixed in the latest version of Spring, released by VMware. However, while the initial remote code with expression language injection bug appeared to be resolved, Dan Amodio, an engineer with Aspect Security, uncovered additional issues that “elevate the severity of the flaw,” the company said.

“The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure,” Amodio said in a statement. It appears that developers can inadvertently introduce the flaw into their Spring applications fairly easily just by following “fairly common coding patterns,” Jeff Williams, CEO of Aspect Security, told SecurityWeek.

“A successful attack will leave little evidence, although careful log scrutiny might turn up evidence of attempted attacks,” Williams said.

“It’s difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution,” said Amodio. The fix will not “turn off” the vulnerability automatically; rather it makes it harder to enable double Expression Language resolution in future releases.

Advertisement. Scroll to continue reading.

More than 1.3 million vulnerable instances of the Spring Framework have been downloaded by more than 22,000 organizations worldwide, according to figures Aspect Security obtained from Sonatype, the operator behind open-source repository Central Repository. Williams said there was no way to tell at this time whether the vulnerability has been exploited. Aspect is “hopeful” that the flaw was discovered and patched early enough to prevent serious attacks.

“Remote code execution flaws are the worst of the worst,” Williams said.

Attackers can trigger the vulnerability to run arbitrary code on the targeted host. The malicious code can access, modify, or delete any information being processed within the Spring application, Attackers can also run code which can steal the source code to look for database credentials, and use the information to access the back-end databases directly, Williams said. With this kind of control over the application server, there is no reason they wouldn’t be able to run other attack programs directly on the system.

Expression Language injection is the result of new techniques which make it possible for developers to generate powerful custom user interfaces by accessing powerful methods directly from the user interface code, Aspect Security said. As applications get more powerful and user interface languages evolve, this type of vulnerability is likely to crop up with more frequency.

Many organizations are still using outdated components with unpatched security holes when building their applications, even when there are newer versions available, Aspect Security said. This practice introduces serious issues into the final product. It was important that organizations use up-to-date components to build mission-critical applications that are not riddled with security flaws, Aspect Security said.

Related Reading: Ruby on Rails Vulnerabilities and System Hardening

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.