Apache Authors: John Mertic, Pat Romanski, Liz McMillan, Elizabeth White, Janakiram MSV

News Feed Item

Aspect Security Researchers Discover Remote Code Vulnerability in the Spring Framework

More Than 22,000 Organizations Worldwide Have Downloaded 1.3 Million Insecure Instances of the Spring Framework Exposing Those Enterprises to Hostile Takeover of Business Systems

COLUMBIA, MD -- (Marketwire) -- 01/16/13 -- Aspect Security, a pioneer in application security, today announced that its researchers have discovered a significant security vulnerability in the Spring Framework. Exclusive data from Sonatype, the operator of the Central Repository, the industry's primary source for open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework has been downloaded by more than 22,000 organizations worldwide.

Spring is an open-source framework used by Java developers to build business-critical applications. The Expression Language (EL) vulnerability enables an attacker to use a remote code execution to invoke functionality and take over a machine or the organization's entire network. Once an attacker exploits this weakness, the enterprise loses control of the business systems built on the Spring Framework.

Dubbed Remote Code with Expression Language Injection by Arshan Dabirsiaghi, Director of Research, Aspect Security and Stefano DiPaola, CTO of Minded Security, this flaw was discovered nearly 20 months ago and resulted in a fix by VMware in the latest version of the Spring Framework. Further research conducted by Aspect Security engineer Dan Amodio has uncovered additional issues that elevate the severity of the flaw, and Aspect cautions that additional steps need to be taken in order to protect organizations from Expression Language Injection vulnerabilities.

"It's difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution," said Amodio. "The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure. Many organizations are still using outdated components, which don't provide added protections by disabling this functionality. Even more alarming is that these flawed components are still being used to build applications which can present long-term security risks if gone unmanaged."

To keep applications free from third-party attacks and performance issues, Aspect Security recommends IT managers and developers using Spring update their libraries and opt-out of enabling double EL resolution. To avoid similar security instances in the future, organizations should consider Component Lifecycle Management (CLM) products that ensure the integrity of component-based software by analyzing usage, enforcing policy during development and delivering fixes for flawed components.

The widespread use of insecure libraries and frameworks is not a new dilemma for the open source software community. In March 2012, Aspect Security in conjunction with Sonatype, released a study entitled, "The Unfortunate Reality of Insecure Libraries." The report documented 113 million downloads from the Central Repository of the 31 most popular Java frameworks and security libraries. Used by developers around the world, the Central Repository (operated by Sonatype) contains more than 400,000 components and receives eight billion requests per year. The report concluded that modern software relies heavily on open source, but users are not update aware - with one in three of the most popular components having older, vulnerable versions still being commonly downloaded, even when a newer version, with the security fix, was available. Other key findings from the report include:

  • 29.8 million (26 percent) of library downloads have known vulnerabilities
  • The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and Struts 1.x
  • Security libraries are slightly more likely to have a known vulnerability than frameworks
  • Based on typical vulnerability rates, the vast majority of library flaws remain undiscovered
  • Neither presence nor absence of historical vulnerabilities is a useful security indicator
  • Typical Java applications are likely to include at least one vulnerable library

"The Remote Code with Expression Language Injection discovered by Aspect Security illustrates the importance of understanding how software vulnerabilities affect the downstream development ecosystem," said Ryan Berg, CSO of Sonatype, the world leader in Component Lifecycle Management products. "Development teams need flexible, proactive solutions that help manage these risks throughout the development lifecycle, so that organizations can trust that the components being used to build mission-critical applications are up-to-date and free from security vulnerabilities."

About Aspect Security

Founded in 2002, Aspect Security is a consulting firm focused exclusively on application security, ensuring that the software that drives business is protected against hackers. Aspect Security's engineers analyze, test and validate an average of 5,000,000 lines of critical application code every month. The company unearths more than 10,000 vulnerabilities every year across a wide range of technologies and architectures, and the company's practical recommendations dramatically improve clients' security posture. Aspect Security has taught tens of thousands of people around the world how to build, test and deploy secure applications, making the company a leader in application security training. Flexible delivery options include instructor-led training either in-person, via webcast, or on-demand through an innovative eLearning curriculum. Aspect has made vast industry contributions through the Open Web Application Security Project (OWASP), including the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology, and WebGoat. For more information, please visit www.aspectsecurity.com or follow @aspectsecurity.

About Sonatype

Sonatype is leading the component revolution. The company's innovative component lifecycle management products enable organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks. Sonatype operates the Central Repository, the industry's primary source for open-source components, housing more than 400,000 components and serving nearly eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and the Central Repository. Since that time, Sonatype has been a leader in core open-source software development ecosystem projects used by more than nine million developers including Nexus, m2eclipse, and Hudson. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @SonatypeCM

Media Contacts:
Dan Chmielewski
Madison Alexander PR
Email Contact


Paula Brici
Madison Alexander PR
Email Contact

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

@ThingsExpo Stories
Fifty billion connected devices and still no winning protocols standards. HTTP, WebSockets, MQTT, and CoAP seem to be leading in the IoT protocol race at the moment but many more protocols are getting introduced on a regular basis. Each protocol has its pros and cons depending on the nature of the communications. Does there really need to be only one protocol to rule them all? Of course not. In his session at @ThingsExpo, Chris Matthieu, co-founder and CTO of Octoblu, walk you through how Oct...
SYS-CON Events announced today that Embotics, the cloud automation company, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Embotics is the cloud automation company for IT organizations and service providers that need to improve provisioning or enable self-service capabilities. With a relentless focus on delivering a premier user experience and unmatched customer support, Embotics is the fas...
The Internet of Things (IoT), in all its myriad manifestations, has great potential. Much of that potential comes from the evolving data management and analytic (DMA) technologies and processes that allow us to gain insight from all of the IoT data that can be generated and gathered. This potential may never be met as those data sets are tied to specific industry verticals and single markets, with no clear way to use IoT data and sensor analytics to fulfill the hype being given the IoT today.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the...
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
The Quantified Economy represents the total global addressable market (TAM) for IoT that, according to a recent IDC report, will grow to an unprecedented $1.3 trillion by 2019. With this the third wave of the Internet-global proliferation of connected devices, appliances and sensors is poised to take off in 2016. In his session at @ThingsExpo, David McLauchlan, CEO and co-founder of Buddy Platform, discussed how the ability to access and analyze the massive volume of streaming data from millio...
SYS-CON Events announced today that Pulzze Systems will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems, Inc. provides infrastructure products for the Internet of Things to enable any connected device and system to carry out matched operations without programming. For more information, visit http://www.pulzzesystems.com.
Successful digital transformation requires new organizational competencies and capabilities. Research tells us that the biggest impediment to successful transformation is human; consequently, the biggest enabler is a properly skilled and empowered workforce. In the digital age, new individual and collective competencies are required. In his session at 19th Cloud Expo, Bob Newhouse, CEO and founder of Agilitiv, will draw together recent research and lessons learned from emerging and established ...
Enterprise IT has been in the era of Hybrid Cloud for some time now. But it seems most conversations about Hybrid are focused on integrating AWS, Microsoft Azure, or Google ECM into existing on-premises systems. Where is all the Private Cloud? What do technology providers need to do to make their offerings more compelling? How should enterprise IT executives and buyers define their focus, needs, and roadmap, and communicate that clearly to the providers?
One of biggest questions about Big Data is “How do we harness all that information for business use quickly and effectively?” Geographic Information Systems (GIS) or spatial technology is about more than making maps, but adding critical context and meaning to data of all types, coming from all different channels – even sensors. In his session at @ThingsExpo, William (Bill) Meehan, director of utility solutions for Esri, will take a closer look at the current state of spatial technology and ar...
SYS-CON Events announced today that Streamlyzer will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Streamlyzer is a powerful analytics for video streaming service that enables video streaming providers to monitor and analyze QoE (Quality-of-Experience) from end-user devices in real time.
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
Cloud based infrastructure deployment is becoming more and more appealing to customers, from Fortune 500 companies to SMEs due to its pay-as-you-go model. Enterprise storage vendors are able to reach out to these customers by integrating in cloud based deployments; this needs adaptability and interoperability of the products confirming to cloud standards such as OpenStack, CloudStack, or Azure. As compared to off the shelf commodity storage, enterprise storages by its reliability, high-availabil...
The IoT industry is now at a crossroads, between the fast-paced innovation of technologies and the pending mass adoption by global enterprises. The complexity of combining rapidly evolving technologies and the need to establish practices for market acceleration pose a strong challenge to global enterprises as well as IoT vendors. In his session at @ThingsExpo, Clark Smith, senior product manager for Numerex, will discuss how Numerex, as an experienced, established IoT provider, has embraced a ...
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in Embedded and IoT solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 7-9, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/Big Data, HPC and ...
SYS-CON Events announced today that SoftNet Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. SoftNet Solutions specializes in Enterprise Solutions for Hadoop and Big Data. It offers customers the most open, robust, and value-conscious portfolio of solutions, services, and tools for the shortest route to success with Big Data. The unique differentiator is the ability to architect and ...
In the next forty months – just over three years – businesses will undergo extraordinary changes. The exponential growth of digitization and machine learning will see a step function change in how businesses create value, satisfy customers, and outperform their competition. In the next forty months companies will take the actions that will see them get to the next level of the game called Capitalism. Or they won’t – game over. The winners of today and tomorrow think differently, follow different...