Click here to receive your FREE subscription to Campus Technology
News
Security Researchers Uncover Spring Framework Vulnerability
9/4/2008
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
The downside of frameworks is their lack of transparency. There's very little visibility into the internal behavior of frameworks, and consequently, their security implications, said Ryan Berg, chief scientist and co-founder of software risk analysis firm Ounce Labs.
A case in point: The Ounce Labs Advanced Research Team (ART) has documented two vulnerabilities that could affect Java Web apps utilizing the Spring Framework. Called "ModelView Injection" and "Data Submission to Non-Editable Fields," these vulnerabilities have the potential to allow attackers to subvert the expected application logic and gain control of an app., according to the ART documentation. That control could provide access to any data, credentials or keys held in the application.
What is most troubling about these vulnerabilities, according to Berg, is that they are not part of some correctable flaw within the framework, but a design issue. "[It's] a design issue that does not take security into account," Berg said. "Any organization utilizing this framework should fully understand the security implications of these design flaws and model their business processes and generate abuse cases to be sure that they are not being exploited."
With more than 5 million downloads to date, Spring ranks among the leading application framework and integration platforms, so these security vulnerabilities could affect thousands of enterprises. And in the J2EE world, Berg pointed out, it's common practice for enterprise applications to use multiple frameworks to implement key components of their Web applications.
These vulnerabilities underscore the often overlooked risks associated with software frameworks in general, said Dinis Cruz, director of Advanced Research for Ounce Labs. "The problem with frameworks is that they provide so many abstraction layers that the people who are using them don't understand fully what's going on within them," Cruz said.
Cruz is a consultant and trainer who specializes in penetration testing, ASP.NET app security, source-code security reviews, reverse engineering, and security curriculum development. He's well-known at conferences and trade shows for showing attendees how to bypass the built-in security mechanisms of the .NET and Java runtimes. He's also the chief security evangelist of the Open Web Application Security Project (OWASP), which is focused on finding and fighting the causes of insecure software. He leads the OWASP .NET Project, and is the main developer of several OWASP tools.
Recommended Reading
- Georgia Tech Helps Develop Web-based Tool To Improve Blood Supply
The Georgia Tech College of Computing, working in partnership with the Centers for Disease Control and Prevention, has developed a Web-based tool for tracking blood safety. The program is expected to help developing countries improve the adequacy and safety of their national blood supplies through better monitoring and evaluation.
- Mississippi State Implements Reflex Virtual Management Center
Mississippi State University has implemented Reflex VMC (Virtual Management Center) from Reflex Systems. The application allows IT administrators to monitor a virtual infrastructure and enforce business and IT policies.
- Stanford Law School Launches IP Litigation Clearinghouse
The Law, Science & Technology Program at Stanford Law School has launched the Intellectual Property Litigation Clearinghouse (IPLC), an online database that offers comprehensive information about intellectual property (IP) disputes within the United States.
- Texas A&M Health Science Center Adopts Banner Administrative Management
The Texas A&M Health Science Center has selected the Banner Unified Digital Campus (UDC) from Sungard Higher Education to help unify its geographically-dispersed community and to enhance and expand services and communications to its growing student enrollment.
- NCCC: Data Cleansing Key To Managing Growth
Community colleges are in a good spot in some ways during the economic downturn, as tight family budgets drive up the appeal of the community college option. But along with the rest of higher education, most community colleges also face shrinking IT budgets and tighter resources. That makes it that much harder to handle the growing enrollment numbers that some community colleges are seeing.
- Finjan: Layoffs Could Drive IT People To Become Cyber-Criminals
Security vendor Finjan predicts that the current economic downturn could herald a sharp rise in cybercrime during 2009--driven by the rise in the number of IT people being laid off. According to a report from the company's Malicious Code Research Center (MCRC), more unemployed IT personnel will be tempted to seek "new and easy income by purchasing and using crimeware toolkits that are sold by professional hackers."
