A remote code execution flaw, dubbed Spring Break, affects various Pivotal Spring projects and could allow an attacker to run arbitrary commands on any machine running applications built using Spring Data REST.
Pivotal Spring is the world's most popular framework for building web applications and the vulnerability is similar to the Apache Struts vulnerability used in the Equifax data breach, according to a Feb 28 lgtm blog post.
“This vulnerability in Spring Data REST is unfortunately very easy to exploit,” Man Yue Mo, lgtm.com security researcher at Semmle said in the post. “As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.”
The flaw is caused by the way Spring's expression language used in the Data REST component which allows unvalidated user input lead. Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3; Spring Boot versions prior to 2.0.0M4; and Spring Data release trains prior to Kay-RC3 are all affected by the vulnerability assigned CVE-2017-8046.
Those effected are encouraged to update the latest versions as soon as possible. Chris Wysopal, co-founder and CTO at CA Veracode said the vulnerability is another example of the continuous challenge that organizations face in maintaining the security of their applications and that the flaw shouldn't be underestimated.
“A similar RCE vulnerability found in Apache Struts 2 last year was the root of a recent mega-breach, which put at risk the data of 143 million Americans,” Wysopal told SC Media. “Of course, mitigating the risk of even severe vulnerabilities is no mean feat – even the most severe flaws take time to fix and our own research has shown that just 14 percent of high severity flaws are closed within 30 days or less.”
He added that organizations can better manage these flaws by maintaining a comprehensive inventory of all the open source elements that are included in their applications. Experts agreed. Synopsys Software Integrity Group EMEA Engineer Steve Giguere told SC Media that fixing serious vulnerabilities in FOSS is critical to ensuring companies do not become the next headline.
“This is another good example of where free and open source software (FOSS) management is essential,” Giguere said. "Not only would a FOSS analysis tool have found this vulnerability months before this official announcement (the CVE for this is dated January 4, 2018), but those using such a tool would have been alerted of the vulnerability in this framework hours after it was listed on NVD, as opposed to months later.”
Giguere added that Hackers are looking for low hanging fruit, and that it's essential to understand how important the gap in between the discovery of a serious defect and taking action.