Security researchers identify new vulnerability affecting Pivotal Spring projects

Researchers imaginatively dub the new vulnerability "Spring Break"

Researchers have warned that attackers could be tapping into a new critical remote code execution vulnerability affecting Pivotal Spring projects.

Identified by security specialists at LGTM, the flaw enables hackers to launch arbitrary commands on systems based on the Pivotal Spring web development framework.

They noted that the vulnerability takes design cues from previously detailed weaknesses identified in Apache Struts. One of these flaws was behind the Equifax data breach, which hit the headlines last September. While a patch was available, Equifax had been slow to implement it.

According to the researchers, this flaw affects projects such as Spring Boot. They have advised users "to upgrade their Spring components to the latest versions as a matter of urgency".

Our own research has shown that just 14 per cent of high severity flaws are closed within 30 days or less

The firm added that the flaw is "easy to exploit", enabling attackers to gain "control over production servers and obtain sensitive user data". It predominantly affects Spring Data Rest, which is used by Java app developers.

"Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services," explained the researchers.

It is believed that the vulnerability stems from irregularities in Spring's expression language, which is used in a data component.

"Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST," warned the firm.

Affected components include:

• Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3;
• Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser;
• Spring Boot, versions prior to 2.0.0M4;
• When using the included Spring Data REST component: spring-boot-starter-data-rest; and,
• Spring Data, versions prior to Kay-RC3

Chris Wysopal, chief technology officer of CA Veracode, said the vulnerability is "another example of the continuous challenge that organisations face in maintaining the security of their applications".

He continued: "The importance of reacting quickly to 'Spring Break' cannot be underestimated. A similar remote-code execution vulnerability found in Apache Struts 2 last year was the root of a recent mega-breach [at Equifax], which put at risk the data of 143 million Americans.

"Of course, mitigating the risk of even severe vulnerabilities is no mean feat - even the most severe flaws take time to fix and our own research has shown that just 14 per cent of high severity flaws are closed within 30 days or less."