Not sure about the veracity of this, but:<p><a href="https://twitter.com/AlBaker_Dev/status/292415396684918784" rel="nofollow">https://twitter.com/AlBaker_Dev/status/292415396684918784</a><p>"That was fixed in 2011, Spring 3.0.6 and 2.5.6SEC03, enjoy!"
This is needless scaremongering !
If you write a web application that blindly executes/evals the contents of a request parameter or submitted form data, you need to have to have your head examined and not blame the underlying framework for security vulnerability.
These security experts wrote a JSP page with a intentionally flawed code that passes an incoming request parameter to an expression evaluation engine:
<spring:message text="" code="${param['message']}">
</spring:message>. what did you expect will happen?<p>No framework is invulnerable against idiot programmers.
The technical details can be found here: <a href="https://www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf" rel="nofollow">https://www.aspectsecurity.com/uploads/downloads/2012/12/Rem...</a>
a rough idea of what is happening here - this is something like sql injection, but for jsp pages. if you use un-sanitized data in a jsp page, evaluated via spring's expression language, then you may execute code, provided by users, on the server.<p>(expression language can be used elsewhere, but it's not so common and much less likely to received user-supplied parameters)<p>also, this article <a href="http://www.h-online.com/open/news/item/The-ghost-of-a-Spring-Framework-bug-haunts-old-code-1786850.html" rel="nofollow">http://www.h-online.com/open/news/item/The-ghost-of-a-Spring...</a> is much clearer about affected versions (3.0.5 and below are bad; 3.0.6 can be fixed via config; 3.1 is ok)
...how is this different for complaining that "SQL is unsafe because of injection possibilities"?<p>...do real world Spring web apps <i>really</i> use unsanitized user input with "expression language" queries? (or am I totally missing the point? - not a Spring guy, I admit, but it all reads weird to me)
I get quite upset when I see companies scaremonger for PR rather than try to help those who are actually doing things.<p>It seems to follow a particular pattern. Find a bug or bug class in $product. Then start screaming from the rooftops about how the sky is falling without telling people how to stop it or what the problem is. Finally release limited fix info via a mailing list or conference. In the end, everyone loses.
Is there an up-to-date document of Java security issues somewhere, preferably with explanations?<p>I don't use Java much these days but I am teaching my kids OOP using Java. I'd like to also take the opportunity to show him where the warts are.
> While the vulnerability that Aspect Security uncovered is not "trivial to exploit," acknowledged Williams, he has no doubt that determined attackers will do so.<p>The quotes should cover 'not' as well i.e. "not trivial to exploit".