HIPAA News

Ounce Labs Advanced Research Team Identifies Critical Security Issues in Popular Open Source Spring Framework

(July 17, 2008)-- Ounce Labs announced that the company's Advanced Research Team (ART) has documented two vulnerabilities that can affect Java web applications that utilize the Spring Framework. With more than five million downloads of Spring to date, the security vulnerabilities identified could affect countless enterprises that utilize this commonly used framework.

The specific vulnerabilities are 'ModelView Injection' and 'Data Submission to Non-Editable Fields.' These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application. Although the two vulnerabilities discovered and analyzed by Ounce are part of the Spring Framework, Ounce Labs ART experts believe that similar issues can be found in other popular Frameworks. The ART Team has worked closely with the security team from SpringSource, the company behind Spring, to confirm these security issues and develop recommendations to avoid the associated risks.

"Many of today's enterprise class applications have a piece of this framework in them," says Dinis Cruz, director of Advanced Research for Ounce Labs. "As we put more and more trust into the frameworks that are the foundation of our applications, we need to make sure we understand the security decisions made so we can make the right implementation choices."

The researchers used the Ounce security source code analysis tool as the platform to uncover these security issues, in addition to static analysis and in-depth manual analysis guided by the information from the Ounce findings. Unlike common application vulnerabilities that can expose Web applications to cross site scripting (XSS) or SQL injection attacks, these newly discovered class of vulnerabilities are not security flaws within the Framework, but are actually design issues that if not implemented properly expose business critical applications to attacks. The right security awareness in the design and testing phase of applications using the Framework can protect enterprises from exploitation after deployment.

"In the J2EE world, it is common practice for enterprise applications to use multiple frameworks to implement key components of their Web applications. The problem is that there is very little visibility on the internal behavior of these frameworks and its security implications," said Ryan Berg, chief scientist and co-founder of Ounce Labs. "This is not a correctable flaw within the framework itself, but rather a design issue that does not take security into account. Any organization utilizing this framework should fully understand the security implications of this design flaw, and model their business processes and generate abuse cases to be sure that they are not being exploited."

Ounce Labs Advanced Research Team consists of leading security experts dedicated to raising the awareness of software security and the development of best practices for incorporating application security into the software development lifecycle. The team conducts research and develops practical methods that organizations can use to analyze and eliminate software security vulnerabilities and strengthen enterprise security.

Ounce helps organizations to verify compliance with internal policies and industry mandates including PCI DSS, FISMA, HIPAA and others. For more information, please visit http://www.ouncelabs.com.

Share or bookmarklet this web page at: