A remote code execution flaw, dubbed Spring Break, affects various Pivotal Spring projects and could allow an attacker to run arbitrary commands on any machine running applications built using Spring Data REST.
Pivotal Spring is the world's most popular framework for building web applications and the vulnerability is similar to the Apache Struts vulnerability used in the
Equifax data breach, according to a Feb 28 lgtm
blog post.
“This vulnerability in Spring Data REST is unfortunately very easy to exploit,” Man Yue Mo, lgtm.com security researcher at Semmle said in the post. “As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.”
The flaw is caused by the way Spring's expression language used in the Data REST component which allows unvalidated user input lead. Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3; Spring Boot versions prior to 2.0.0M4; and Spring Data release trains prior to Kay-RC3 are all affected by the vulnerability assigned CVE-2017-8046.
Those effected are encouraged to update the latest versions as soon as possible. Chris Wysopal, co-founder and CTO at CA Veracode said the vulnerability is another example of the continuous challenge that organizations face in maintaining the security of their applications and that the flaw shouldn't be underestimated.
