Security Researchers Uncover Spring Framework Vulnerability

• By John K. Waters
• 09/04/08

Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.

The downside of frameworks is their lack of transparency. There's very little visibility into the internal behavior of frameworks, and consequently, their security implications, said Ryan Berg, chief scientist and co-founder of software risk analysis firm Ounce Labs.

A case in point: The Ounce Labs Advanced Research Team (ART) has documented two vulnerabilities that could affect Java Web apps utilizing the Spring Framework. Called "ModelView Injection" and "Data Submission to Non-Editable Fields," these vulnerabilities have the potential to allow attackers to subvert the expected application logic and gain control of an app., according to the ART documentation. That control could provide access to any data, credentials or keys held in the application.

What is most troubling about these vulnerabilities, according to Berg, is that they are not part of some correctable flaw within the framework, but a design issue. "[It's] a design issue that does not take security into account," Berg said. "Any organization utilizing this framework should fully understand the security implications of these design flaws and model their business processes and generate abuse cases to be sure that they are not being exploited."

With more than 5 million downloads to date, Spring ranks among the leading application framework and integration platforms, so these security vulnerabilities could affect thousands of enterprises. And in the J2EE world, Berg pointed out, it's common practice for enterprise applications to use multiple frameworks to implement key components of their Web applications.

These vulnerabilities underscore the often overlooked risks associated with software frameworks in general, said Dinis Cruz, director of Advanced Research for Ounce Labs. "The problem with frameworks is that they provide so many abstraction layers that the people who are using them don't understand fully what's going on within them," Cruz said.

Cruz is a consultant and trainer who specializes in penetration testing, ASP.NET app security, source-code security reviews, reverse engineering, and security curriculum development. He's well-known at conferences and trade shows for showing attendees how to bypass the built-in security mechanisms of the .NET and Java runtimes. He's also the chief security evangelist of the Open Web Application Security Project (OWASP), which is focused on finding and fighting the causes of insecure software. He leads the OWASP .NET Project, and is the main developer of several OWASP tools.

"The framework security problem is a catch-22," Cruz commented in a interview. "For a framework to be useful, it needs to be user friendly, to solve problems and add a lot of value. You do that by automating a lot of things. When you automate things, you reduce the visibility so that developers don't fully understand what's happening. They don't see the side effects of what they're doing. In a way the framework almost pushes you to implement it in an insecure way, because that's the way it was designed."

SpringSource, the company behind the Spring Framework, has been working closely with the ART researchers "to confirm these security issues and develop recommendations to avoid the associated risks," Once Labs said.

"We are working with the security experts at Ounce Labs to raise awareness within the Spring community of these two issues," said Keith Donald, SpringSource's Principal Software Engineer, in a prepared statement. "We are committed to ensuring that our community has all the information they need to secure their Spring applications, and we appreciate the collaboration with Ounce's team in this effort."

Once Labs recommendations for side-stepping the vulnerabilities in the framework can be found in its white paper here.