Welcome!

Eclipse Authors: Liz McMillan, Mano Marks, JP Morgenthal, Yeshim Deniz, Elizabeth White

News Feed Item

Aspect Security Researchers Discover Remote Code Vulnerability in the Spring Framework

More Than 22,000 Organizations Worldwide Have Downloaded 1.3 Million Insecure Instances of the Spring Framework Exposing Those Enterprises to Hostile Takeover of Business Systems

COLUMBIA, MD -- (Marketwire) -- 01/16/13 -- Aspect Security, a pioneer in application security, today announced that its researchers have discovered a significant security vulnerability in the Spring Framework. Exclusive data from Sonatype, the operator of the Central Repository, the industry's primary source for open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework has been downloaded by more than 22,000 organizations worldwide.

Spring is an open-source framework used by Java developers to build business-critical applications. The Expression Language (EL) vulnerability enables an attacker to use a remote code execution to invoke functionality and take over a machine or the organization's entire network. Once an attacker exploits this weakness, the enterprise loses control of the business systems built on the Spring Framework.

Dubbed Remote Code with Expression Language Injection by Arshan Dabirsiaghi, Director of Research, Aspect Security and Stefano DiPaola, CTO of Minded Security, this flaw was discovered nearly 20 months ago and resulted in a fix by VMware in the latest version of the Spring Framework. Further research conducted by Aspect Security engineer Dan Amodio has uncovered additional issues that elevate the severity of the flaw, and Aspect cautions that additional steps need to be taken in order to protect organizations from Expression Language Injection vulnerabilities.

"It's difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution," said Amodio. "The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure. Many organizations are still using outdated components, which don't provide added protections by disabling this functionality. Even more alarming is that these flawed components are still being used to build applications which can present long-term security risks if gone unmanaged."

To keep applications free from third-party attacks and performance issues, Aspect Security recommends IT managers and developers using Spring update their libraries and opt-out of enabling double EL resolution. To avoid similar security instances in the future, organizations should consider Component Lifecycle Management (CLM) products that ensure the integrity of component-based software by analyzing usage, enforcing policy during development and delivering fixes for flawed components.

The widespread use of insecure libraries and frameworks is not a new dilemma for the open source software community. In March 2012, Aspect Security in conjunction with Sonatype, released a study entitled, "The Unfortunate Reality of Insecure Libraries." The report documented 113 million downloads from the Central Repository of the 31 most popular Java frameworks and security libraries. Used by developers around the world, the Central Repository (operated by Sonatype) contains more than 400,000 components and receives eight billion requests per year. The report concluded that modern software relies heavily on open source, but users are not update aware - with one in three of the most popular components having older, vulnerable versions still being commonly downloaded, even when a newer version, with the security fix, was available. Other key findings from the report include:

  • 29.8 million (26 percent) of library downloads have known vulnerabilities
  • The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and Struts 1.x
  • Security libraries are slightly more likely to have a known vulnerability than frameworks
  • Based on typical vulnerability rates, the vast majority of library flaws remain undiscovered
  • Neither presence nor absence of historical vulnerabilities is a useful security indicator
  • Typical Java applications are likely to include at least one vulnerable library

"The Remote Code with Expression Language Injection discovered by Aspect Security illustrates the importance of understanding how software vulnerabilities affect the downstream development ecosystem," said Ryan Berg, CSO of Sonatype, the world leader in Component Lifecycle Management products. "Development teams need flexible, proactive solutions that help manage these risks throughout the development lifecycle, so that organizations can trust that the components being used to build mission-critical applications are up-to-date and free from security vulnerabilities."

About Aspect Security

Founded in 2002, Aspect Security is a consulting firm focused exclusively on application security, ensuring that the software that drives business is protected against hackers. Aspect Security's engineers analyze, test and validate an average of 5,000,000 lines of critical application code every month. The company unearths more than 10,000 vulnerabilities every year across a wide range of technologies and architectures, and the company's practical recommendations dramatically improve clients' security posture. Aspect Security has taught tens of thousands of people around the world how to build, test and deploy secure applications, making the company a leader in application security training. Flexible delivery options include instructor-led training either in-person, via webcast, or on-demand through an innovative eLearning curriculum. Aspect has made vast industry contributions through the Open Web Application Security Project (OWASP), including the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology, and WebGoat. For more information, please visit www.aspectsecurity.com or follow @aspectsecurity.

About Sonatype

Sonatype is leading the component revolution. The company's innovative component lifecycle management products enable organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks. Sonatype operates the Central Repository, the industry's primary source for open-source components, housing more than 400,000 components and serving nearly eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and the Central Repository. Since that time, Sonatype has been a leader in core open-source software development ecosystem projects used by more than nine million developers including Nexus, m2eclipse, and Hudson. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @SonatypeCM

Media Contacts:
Dan Chmielewski
Madison Alexander PR
714-832-8716
Email Contact

Or

Paula Brici
Madison Alexander PR
949-677-6527
Email Contact

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

@ThingsExpo Stories
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
The security needs of IoT environments require a strong, proven approach to maintain security, trust and privacy in their ecosystem. Assurance and protection of device identity, secure data encryption and authentication are the key security challenges organizations are trying to address when integrating IoT devices. This holds true for IoT applications in a wide range of industries, for example, healthcare, consumer devices, and manufacturing. In his session at @ThingsExpo, Lancen LaChance, vic...
Who are you? How do you introduce yourself? Do you use a name, or do you greet a friend by the last four digits of his social security number? Assuming you don’t, why are we content to associate our identity with 10 random digits assigned by our phone company? Identity is an issue that affects everyone, but as individuals we don’t spend a lot of time thinking about it. In his session at @ThingsExpo, Ben Klang, Founder & President of Mojo Lingo, discussed the impact of technology on identity. Sho...
Manufacturers are embracing the Industrial Internet the same way consumers are leveraging Fitbits – to improve overall health and wellness. Both can provide consistent measurement, visibility, and suggest performance improvements customized to help reach goals. Fitbit users can view real-time data and make adjustments to increase their activity. In his session at @ThingsExpo, Mark Bernardo Professional Services Leader, Americas, at GE Digital, discussed how leveraging the Industrial Internet and...
IoT generates lots of temporal data. But how do you unlock its value? You need to discover patterns that are repeatable in vast quantities of data, understand their meaning, and implement scalable monitoring across multiple data streams in order to monetize the discoveries and insights. Motif discovery and deep learning platforms are emerging to visualize sensor data, to search for patterns and to build application that can monitor real time streams efficiently. In his session at @ThingsExpo, ...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.
WebRTC is about the data channel as much as about video and audio conferencing. However, basically all commercial WebRTC applications have been built with a focus on audio and video. The handling of “data” has been limited to text chat and file download – all other data sharing seems to end with screensharing. What is holding back a more intensive use of peer-to-peer data? In her session at @ThingsExpo, Dr Silvia Pfeiffer, WebRTC Applications Team Lead at National ICT Australia, looked at differ...
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Ca...
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
Providing secure, mobile access to sensitive data sets is a critical element in realizing the full potential of cloud computing. However, large data caches remain inaccessible to edge devices for reasons of security, size, format or limited viewing capabilities. Medical imaging, computer aided design and seismic interpretation are just a few examples of industries facing this challenge. Rather than fighting for incremental gains by pulling these datasets to edge devices, we need to embrace the i...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...