Major flaw in Java-based Spring Framework allows remote-code execution

Not sure about the veracity of this, but:<p><a href="https://twitter.com/AlBaker_Dev/status/292415396684918784" rel="nofollow">https://twitter.com/AlBaker_Dev/status/292415396684918784</a><p>"That was fixed in 2011, Spring 3.0.6 and 2.5.6SEC03, enjoy!"

This is needless scaremongering ! If you write a web application that blindly executes/evals the contents of a request parameter or submitted form data, you need to have to have your head examined and not blame the underlying framework for security vulnerability. These security experts wrote a JSP page with a intentionally flawed code that passes an incoming request parameter to an expression evaluation engine: &#60;spring:message text="" code="${param['message']}"&#62; &#60;/spring:message&#62;. what did you expect will happen?<p>No framework is invulnerable against idiot programmers.

The technical details can be found here: <a href="https://www.aspectsecurity.com/uploads/downloads/2012/12/Remote-Code-with-Expression-Language-Injection.pdf" rel="nofollow">https://www.aspectsecurity.com/uploads/downloads/2012/12/Rem...</a>

a rough idea of what is happening here - this is something like sql injection, but for jsp pages. if you use un-sanitized data in a jsp page, evaluated via spring's expression language, then you may execute code, provided by users, on the server.<p>(expression language can be used elsewhere, but it's not so common and much less likely to received user-supplied parameters)<p>also, this article <a href="http://www.h-online.com/open/news/item/The-ghost-of-a-Spring-Framework-bug-haunts-old-code-1786850.html" rel="nofollow">http://www.h-online.com/open/news/item/The-ghost-of-a-Spring...</a> is much clearer about affected versions (3.0.5 and below are bad; 3.0.6 can be fixed via config; 3.1 is ok)

I administer some servers running a third-party java application under tomcat. How can i tell whether it uses Spring or a vulnerable template?

...how is this different for complaining that "SQL is unsafe because of injection possibilities"?<p>...do real world Spring web apps <i>really</i> use unsanitized user input with "expression language" queries? (or am I totally missing the point? - not a Spring guy, I admit, but it all reads weird to me)

<a href="https://github.com/based2/checker-maven-plugin/blob/master/src/main/resources/java_cve.json" rel="nofollow">https://github.com/based2/checker-maven-plugin/blob/master/s...</a>

I get quite upset when I see companies scaremonger for PR rather than try to help those who are actually doing things.<p>It seems to follow a particular pattern. Find a bug or bug class in $product. Then start screaming from the rooftops about how the sky is falling without telling people how to stop it or what the problem is. Finally release limited fix info via a mailing list or conference. In the end, everyone loses.

Is there an up-to-date document of Java security issues somewhere, preferably with explanations?<p>I don't use Java much these days but I am teaching my kids OOP using Java. I'd like to also take the opportunity to show him where the warts are.

&#62; While the vulnerability that Aspect Security uncovered is not "trivial to exploit," acknowledged Williams, he has no doubt that determined attackers will do so.<p>The quotes should cover 'not' as well i.e. "not trivial to exploit".

As long as you're not injecting unvalidated request parameters in your JSPs, you will be fine.

Meh no worries.<p>If there is a flaw you probably need to write like 5M of XML to exploit it.