Unvalidated user input is the source of most security risks. Using unvalidated user input in an expression language creates a critical attack vector for Remote Code Execution attacks.
Last year, researchers identified several RCE vulnerabilities in OGNL, the expression language of Apache Struts. Such vulnerabilities can cause catastrophic results such as the infamous Equifax data breach in which roughly 147.9 million Americans were impacted. It remains the largest data breach of personal information in history.
“Spring Break” (CVE-2017-8046) is another example of an unvalidated user input vulnerability in a framework’s expression language, namely Spring’s expression language (SpEL). Attackers that exploit this new attack vector can send specifically crafted user inputs (payloads) that lead to arbitrary code being executed on the vulnerable system.
At a minimum, organizations must maintain an inventory of all the open source components used in their production systems. This allows organizations to identify the vulnerable components and patch them when patches become available.
Pivotal has released patched versions of the Spring framework and any affected organization is strongly advised to upgrade their framework libraries as soon as possible.
It is important to note that the upgrade process requires the modification of their dependency files (e.g. pom.xml) to use the latest artifact version. This process requires a clean recompilation of the software, redeployment and restart of the service.
Alternatively, virtual patching allows the patching of the framework without making any source code changes and thus completely avoiding the recompilation, redeployment and restarting the software. Virtual patching by Waratek is the functional equivalent of the vendor’s physical patch and can be applied in a matter of seconds.
Author:
Apostolos Giannakidis
Security Architect
Apostolos drives the research and the design of the security features of Waratek’s Application Security Platform. Before starting his journey in Waratek in 2014, Apostolos worked in Oracle for 2 years focusing on Destructive Testing on the whole technology stack of Oracle and on Security Testing of the Solaris operating system. Apostolos has more than 10 years of experience in the software industry and holds an MSc in Computer Science from the University of Birmingham.
