Major flaw in Java-based Spring Framework allows remote-code execution by attackers

No quick fix seen to 'remote code with expression language' injection, so many apps are at risk

There's a major flaw in the Java-based Spring Framework open-source development code that allows remote-code execution by attackers against applications built with it, according to the security firm Aspect Security, which identified the flaw.

"It allows attackers to inject code," says Jeff Williams, CEO at Aspect Security. The weakness is in what's called the "expression language" function in the Spring Framework development code.

[ Learn how to work smarter, not harder with InfoWorld's roundup of all the tips and trends programmers need to know in the Developers' Survival Guide. Download the PDF today! | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

NEWS: Rogue clouds giving IT staffs nightmares

Williams says Aspect Security has been working closely with the Spring Framework open-source community to address the issue, but so far the vulnerability related to what's being called "remote code with expression language" injection isn't something that seems to easily lend itself to a quick patch. So instead, software developers whose applications build on Spring could be at risk and are advised to turn off the expression-language feature.

Spring will likely disable the expression-language feature by default in the next version, says Williams, but for now the vulnerability, if exploited by an attacker, could lead to the complete compromise of the application build with it. "It's very dangerous," Williams says. "They could completely take over a Web application and run their code on the server."

Although it's not known exactly how many Spring-developed applications are vulnerable to this "remote code with expression language" injection attack, Sonatype, the operator of the Central Repositor that provides open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework have been downloaded by more than 22,000 organizations worldwide, according to Aspect Security.

The vulnerability that Aspect Security uncovered is not "trivial to exploit," Williams says, but he has no doubt that determined attackers will do so. He also noted that the Spring Framework code vulnerability made public this week has no connection whatsoever to issues recently identified in in-the-browser use of Java.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

This story, "Major flaw in Java-based Spring Framework allows remote-code execution by attackers" was originally published by Network World.

Copyright © 2013 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!