HOME > SECURITY RESOURCES > SECURITY ALERT
Ounce Labs Advanced Research Team Identifies Critical Security Issues in Popular Open Source Spring Framework
Security Alert Overview
Ounce Labs Advanced Research Team (ART) has documented two vulnerabilities in the commonly used Spring framework that is utilized for creating dynamic, robust, highly scalable Web applications in Java. The security vulnerabilities identified could affect countless enterprises that utilize this commonly used framework. The ART Team has worked closely with the security team from the Spring Framework to confirm these security issues and develop recommendations to avoid the associated risks.
The specific vulnerabilities are ‘ModelView Injection’ and ‘Data Submission to Non-Editable Fields.’ These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application. Although the two vulnerabilities were discovered and analyzed by Ounce as part of the Spring Framework, Ounce Labs’ ART experts believe that similar issues can be found in other popular Frameworks. Detailed analysis of the security issues and recommendations are available in the ART Team’s Technical Advisory.
The researchers used the Ounce security source code analysis tool as the platform to uncover these security issues, in addition to static analysis and in-depth manual analysis guided by the information from the Ounce findings. Unlike common application vulnerabilities that can expose Web applications to cross site scripting or SQL injection attacks, these newly discovered class of vulnerabilities are not security flaws within the Framework, but are actually design issues that if not implemented properly expose business critical applications to attacks. The right security awareness in the design and testing phase of applications using the Framework can protect enterprises from exploitation after deployment.
For further information, including recommendations on how to mitigate the risk of these issues, listen to the Spring Framework podcast or attend the upcoming webinar which feature Ryan Berg, Chief Scientist and Dinis Cruz, Director of Advanced Research for Ounce Labs.
