Security researchers at LGTM.com have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world's most popular framework for building web applications. The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST. The vulnerability is similar to the weaknesses found in Apache Struts, one of which resulted in the Equifax data breach. Multiple Spring projects, including Spring Boot, are affected.
We strongly advise users to upgrade their Spring components to the latest versions as a matter of urgency.
The vulnerability was found by security researcher Man Yue Mo at Semmle — the team behind LGTM.com — using the QL query technology that powers the analysis on LGTM, which is freely available to the open source community.
This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.
Pivotal’s Spring Framework is the most popular platform for building web applications, according to developer-focused analyst firm RedMonk. Spring Data REST is a collection of additional components for developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories. Such interfaces are incredibly widely used; virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services.
This vulnerability is caused by the way Spring’s own expression language (SpEL) is used in the Data REST component. Unvalidated user input leads to an attacker being able to execute arbitrary commands on any machine that runs an application built using Spring Data REST. This vulnerability has been assigned CVE-2017-8046, and is referred to by Pivotal in their release notes as DATAREST-1127.
The following Spring products and components are affected:
Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
Spring Boot, versions prior to 2.0.0M4
(when using the included Spring Data REST component: spring-boot-starter-data-rest)
- Spring Data, versions prior to Kay-RC3
Users are strongly advised to urgently upgrade to the latest versions of those components.
Securing your own open source projects
The LGTM security team works with the community to secure the open source software that the world has come to rely on. Any developer can add their favorite open source projects from GitHub.com and Bitbucket.org. A growing number of large open source projects are using LGTM’s automatic code review through pull request integration in order to prevent vulnerabilities from being (re)introduced into their code base.
For example, here is a pull request to AMP HTML (Accelerated Mobile Pages) that almost led to the introduction of a regular expression injection that could be abused as an XSS vulnerability. NASA uses LGTM both on their proprietary and open source projects to improve their code and keep it secure. Here’s an example of LGTM reviewing code in their OpenMBEE project. Some examples of other open source projects that rely on LGTM’s automated code review: scikit-learn, Matplotlib, Three.js, and NumPy.
You can set up automated code review for your own project through pull request integration on the ‘Integrations’ tab on your project’s LGTM.com page. This functionality is also available in Semmle’s enterprise product offering.
Use LGTM for your own security research
The query language that powers LGTM.com allows you to write queries over source code. This technology enables our security researchers to find and report security vulnerabilities on an almost weekly (sometimes daily!) basis. Security researcher Man Yue Mo explains in a separate blog post how he wrote the query to find this particular vulnerability in Spring Data REST. There are numerous other blog posts on lgtm.com/blog containing details of various other vulnerabilities that our security researchers found — including the infamous critical Apache Struts vulnerability.
The query technology that powers LGTM is trusted by security researchers and developers in leading organizations around the world, including Microsoft, Google, Credit Suisse, NASA, Nasdaq, and Dell.
The Semmle security team takes responsible disclosure very seriously. As with any other security vulnerability, the team has worked closely with the developers at Pivotal to ensure an effective patch is made available as quickly as possible. At Pivotal’s request and due to the critical nature of this vulnerability, we postponed publication of this blog post until March 2018.
For more information about our security team, the research they do, and the disclosure policy, visit lgtm.com/security.
Keep in touch
If you’d like to be kept updated on the work of our security team, follow us on twitter: @lgtmhq. Feel free to contact us at firstname.lastname@example.org if you have further questions about this or other vulnerabilities.
Note: Post originally published on LGTM.com on 03/01/2018