Critical security issues in the open source Spring Framework

Ounce Labs Advanced Research Team has documented two vulnerabilities that can affect Java web applications that utilize the Spring Framework.  With more than five million downloads of Spring to date, the security vulnerabilities identified could affect countless enterprises that utilize this commonly used framework.
 

The specific vulnerabilities are “ModelView Injection’ and “Data Submission to Non-Editable Fields.’ These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application.  Although the two vulnerabilities discovered and analyzed by Ounce are part of the Spring Framework, Ounce Labs ART experts believe that similar issues can be found in other popular Frameworks. The ART Team has worked closely with the security team from SpringSource, the company behind Spring, to confirm these security issues and develop recommendations to avoid the associated risks.
 
The researchers used the Ounce security source code analysis tool as the platform to uncover these security issues, in addition to static analysis and in-depth manual analysis guided by the information from the Ounce findings. Unlike common application vulnerabilities that can expose Web applications to cross site scripting (XSS) or SQL injection attacks, these newly discovered class of vulnerabilities are not security flaws within the Framework, but are actually design issues that if not implemented properly expose business critical applications to attacks. The right security awareness in the design and testing phase of applications using the Framework can protect enterprises from exploitation after deployment.