Spring Break flaw shows cross-industry collaboration

Security researchers at lgtm.com have warned users of Pivotal’s Spring Framework to update their software immediately because of a critical flaw known as Spring Break.

The researchers discovered a critical remote code execution vulnerability that allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The Spring Framework is regarded as the leading open source framework for building Java applications. The project was taken over by cloud development company Pivotal in 2013.

According to lgtm.com, the vulnerability is similar to the weaknesses found in Apache Struts, one of which resulted in the Equifax data breach.

Several Spring projects, including Spring Boot, are affected, said lgtm.com. Pivotal issued a patch for the vulnerability (CVE-2017-8046), which it confirmed affects Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3; Spring Boot versions prior to 2.0.0M4; and Spring Data release trains prior to Kay-RC3.

Chris Wysopal, CTO at CA Veracode, said: “The importance of reacting quickly to Spring Break cannot be overstated. Of course, mitigating the risk of even severe vulnerabilities is no mean  feat – even the most severe flaws take time to fix and our own research has shown that just 14% of high-severity flaws are closed within 30 days or less.”

Wysopal urged development teams to manage the constant threat of new vulnerabilities using a comprehensive inventory of all the open source elements that are included in their applications. For existing applications, running composition analysis can identify which components are contained in applications – but just 28% of organisations are doing this regularly, he said.

“Only when taking advantage of alerts and notification of newly discovered vulnerabilities, which are then checked against an accurate, up-to-date inventory, can originations understand their exposure and how best to mitigate this risk,” said Wysopal.

What is significant about the Pivotal patch is that because Spring is so widely used, the flaw was publicised only after users had been given enough time to update their web software.