The flaw has been called ‘remote code with Expression Language injection’ and was originally discovered 20 months ago. At the time, VMWare (which acquired SpringSource in 2009) produced a fix for the latest version of the Spring Framework. But now new research by Aspect Security’s Dan Amodio has discovered additional issues that elevate the severity of the vulnerability. If exploited, an attacker could execute code remotely and the enterprise would lose control of any business system built on vulnerable versions of Spring.
“It’s difficult to quantify the depth and breadth of this problem,” said Amodio, “since not every application is vulnerable; but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution. The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure. Many organizations are still using outdated components, which don't provide added protections by disabling this functionality. Even more alarming is that these flawed components are still being used to build applications which can present long-term security risks if gone unmanaged.”
Using data from Sonatype, which operates the Central Repository for open source components, Aspect Security estimates that more than 1.3 million instances of the vulnerable Spring Framework have been downloaded by more than 22,000 organizations worldwide. It is actually just one instance of a wider problem. Last year Aspect and Sonatype partnered to produce a report that estimated 29.8 million (or 26%) library downloads included a known vulnerability, while the vast majority of library flaws remain undiscovered. “Typical Java applications,” said the report, “are likely to include at least one vulnerable library.”
To avoid third-party attacks using the Spring vulnerability, Aspect recommends that developers update their libraries and opt out of enabling double EL resolution. “To avoid similar security instances in the future,” it suggests, “organizations should consider Component Lifecycle Management (CLM) products that ensure the integrity of component-based software by analyzing usage, enforcing policy during development and delivering fixes for flawed components.”
In an unrelated item on the SpringSource blog yesterday, Juergen Hoeller announced that the current 3.2 version of Spring would be the last in the 3.x line, and that work on Spring Framework 4.0 has commenced. “We intend,” he said, “to have yet another one-year iteration and reach 4.0 GA by the end of 2013.”