BWW Geeks World

Aspect Security Researchers Discover Remote Code Vulnerability in the Spring Framework

Related: Security
Aspect Security Researchers Discover Remote Code Vulnerability in the Spring Framework

Aspect Security, a pioneer in application security, today announced that its researchers have Discovered a significant security vulnerability in the Spring Framework. Exclusive data from Sonatype, the operator of the Central Repository, the industry's primary source for open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework has been downloaded by more than 22,000 organizations worldwide.

Spring is an open-source framework used by Java developers to build business-critical applications. The Expression Language (EL) vulnerability enables an attacker to use a remote code execution to invoke functionality and take over a machine or the organization's entire network. Once an attacker exploits this weakness, the enterprise loses control of the business systems built on the Spring Framework.

Dubbed Remote Code with Expression Language Injection by Arshan Dabirsiaghi, Director of Research, Aspect Security and Stefano DiPaola, CTO of Minded Security, this flaw was Discovered nearly 20 months ago and resulted in a fix by VMware in the latest version of the Spring Framework. Further research conducted by Aspect Security engineer Dan Amodio has uncovered additional issues that elevate the severity of the flaw, and Aspect cautions that additional steps need to be taken in order to protect organizations from Expression Language Injection vulnerabilities.

"It's difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution," said Amodio. "The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure. Many organizations are still using outdated components, which don't provide added protections by disabling this functionality. Even more alarming is that these flawed components are still being used to build applications which can present long-term security risks if gone unmanaged."

To keep applications free from third-party attacks and performance issues, Aspect Security recommends IT managers and developers using Spring update their libraries and opt-out of enabling double EL resolution. To avoid similar security instances in the future, organizations should consider Component Lifecycle Management (CLM) products that ensure the integrity of component-based software by analyzing usage, enforcing policy during development and delivering fixes for flawed components.

GEEKS VIDEOS

STAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONESSTAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONES VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE!VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE! Video: YouTube Stars to Interview President Obama - And You Can Too!Video: YouTube Stars to Interview President Obama - And You Can Too! VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda'VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda' VIDEO: Google Jumping More into Education with Google ClassroomVIDEO: Google Jumping More into Education with Google Classroom VIDEO: Nintendo Shows Off New Nintendo 3DS XLVIDEO: Nintendo Shows Off New Nintendo 3DS XL VIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC RoutersVIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC Routers Video: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMOVideo: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMO VIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for LooksVIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for Looks VIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL MEVIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL ME STAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon LevittSTAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon Levitt VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below!VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below! Fully Restored Video: Craigslist 1996 Nissan Maxima CompletedFully Restored Video: Craigslist 1996 Nissan Maxima Completed VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare'VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare' VIDEO: It's Here! Starwood's Keyless Entry Launches Today!VIDEO: It's Here! Starwood's Keyless Entry Launches Today! New Video: Immigration Enforcement Needed to Counter Criminal and Terrorist ThreatsNew Video: Immigration Enforcement Needed to Counter Criminal and Terrorist Threats

Subscribe for News & Specials