dcsimg

Ounce Labs Advanced Research Team Identifies Critical Security Issues in Popular Open Source Spring Framework

WALTHAM, Mass., July 16 /PRNewswire/ -- Ounce Labs, the industry leader in software risk analysis, today announced that the company's Advanced Research Team (ART) has documented two vulnerabilities that can affect Java web applications that utilize the Spring Framework. With more than five million downloads of Spring to date, the security vulnerabilities identified could affect countless enterprises that utilize this commonly used framework.

WALTHAM, Mass., July 16 /PRNewswire/ — Ounce Labs, the industry leader in software risk analysis, today announced that the company's Advanced Research Team (ART) has documented two vulnerabilities that can affect Java web applications that utilize the Spring Framework. With more than five million downloads of Spring to date, the security vulnerabilities identified could affect countless enterprises that utilize this commonly used framework.

The specific vulnerabilities are 'ModelView Injection' and 'Data Submission to Non-Editable Fields.' These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application. Although the two vulnerabilities discovered and analyzed by Ounce are part of the Spring Framework, Ounce Labs ART experts believe that similar issues can be found in other popular Frameworks. The ART Team has worked closely with the security team from SpringSource, the company behind Spring, to confirm these security issues and develop recommendations to avoid the associated risks.

"Many of today's enterprise class applications have a piece of this framework in them," says Dinis Cruz, director of Advanced Research for Ounce Labs. "As we put more and more trust into the frameworks that are the foundation of our applications, we need to make sure we understand the security decisions made so we can make the right implementation choices."

The researchers used the Ounce security source code analysis tool as the platform to uncover these security issues, in addition to static analysis and in-depth manual analysis guided by the information from the Ounce findings. Unlike common application vulnerabilities that can expose Web applications to cross site scripting (XSS) or SQL injection attacks, these newly discovered class of vulnerabilities are not security flaws within the Framework, but are actually design issues that if not implemented properly expose business critical applications to attacks. The right security awareness in the design and testing phase of applications using the Framework can protect enterprises from exploitation after deployment.

"We are working with the security experts at Ounce Labs to raise awareness within the Spring community of these two issues," stated Keith Donald, Principal Software Engineer, SpringSource. "We are committed to ensuring that our community has all the information they need to secure their Spring applications, and we appreciate the collaboration with Ounce's team in this effort."

"In the J2EE world, it is common practice for enterprise applications to use multiple frameworks to implement key components of their Web applications. The problem is that there is very little visibility on the internal behavior of these frameworks and its security implications," said Ryan Berg, chief scientist and co-founder of Ounce Labs. "This is not a correctable flaw within the framework itself, but rather a design issue that does not take security into account. Any organization utilizing this framework should fully understand the security implications of this design flaw, and model their business processes and generate abuse cases to be sure that they are not being exploited."

In order to avoid these vulnerabilities, Ounce Labs Advanced Research Team recommends:

— Never directly use data that a user can control, through hidden fields, cookies or direct form submissions to control the actual views that are rendered in the MVC pattern.

— Always use the setAllowedFields method to limit the auto-binding of all fields to only those fields that are required for the form.

— Remember that validation is not just about protecting against SQL injection and XSS. You must also validate all data that can be used to control a business process.

Ounce Labs Advanced Research Team consists of leading security experts dedicated to raising the awareness of software security and the development of best practices for incorporating application security into the software development lifecycle. The team conducts research and develops practical methods that organizations can use to analyze and eliminate software security vulnerabilities and strengthen enterprise security.

An Ounce ART Security Advisory has been published with additional details on these security issues. The Advisory is available for download at http://www.ouncelabs.com/springmvc. Ounce Labs will also present a webcast on the details of this advisory on July 22nd. For more information and to register, please visit http://www.ouncelabs.com/springmvc. SpringSource, the company behind Spring, has also provided answers to frequently asked questions regarding this advisory at http://www.springsource.com/securityadvisory.

About Ounce Labs, Inc.

Ounce Labs' industry-leading source code analysis solutions enable organizations to analyze their applications to identify, prioritize and eliminate software security vulnerabilities. Ounce delivers the accuracy, immediate time-to-value, and automated workflow that large enterprises demand while helping organizations such as EDS, IBM, Intel, Lockheed Martin, MFS, the U.S. Government Accountability Office, Unisys and VeriSign, to strengthen application security and protect confidential information. Ounce also helps organizations to verify compliance with internal policies and industry mandates including PCI DSS, FISMA, HIPAA and others. For more information, please visit http://www.ouncelabs.com.

Ounce Labs is a registered trademark of Ounce Labs, Inc. in the United States and other countries. Other product or service names mentioned herein are the trademarks of their respective owners.

Media Contacts: Peter Crosby Ounce Labs 781.547.7012 Peter.Crosby@ouncelabs.com http://www.ouncelabs.com Brenda Menard Davies Murphy Group 781.418.2435 ounce@daviesmurphy.com http://www.daviesmurphy.com

SOURCE Ounce Labs, Inc.

Comments are closed.