Menu
I came across an article Open source library with vulnerabilities.
This article states that "Spring Expression Language (SpEL) could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies."
Can someone shed more light on this, please ?
428
The Spring4Shell RCE vulnerability allows attackers to execute code on applications using the Spring framework before 5.3. 18 or 5.2. 20 , with JDK 9+ . In addition, applications need to be mapping request parameters into Plain Old Java Objects (POJO) to be vulnerable.
SpEL injection occurs when user controlled data is passed directly to the SpEL expression parser. For instance, the following method uses the standard context to evaluate SpEL expression: private static final SpelExpressionParser PARSER = new SpelExpressionParser();
The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. The language syntax is similar to Unified EL but offers additional features, most notably method invocation and basic string templating functionality.
The discovery by Aspect Security was found in January 2013, but the fix that SpringSource published was made available back in 2011 when this was first discovered. Dan Amodio of Aspect Security informed SpringSource about the possibility of remote code execution.
SpringSource updated our security report 12-06-2012 with Aspect Security’s finding – but the fix/mitigation listed in the original advisory is still applicable: http://support.springsource.com/security/cve-2011-2730
This vulnerability only affects Spring Framework versions:
• 3.0.0 to 3.0.5 -- upgrading to 3.0.6 here would solve the issue. • 2.5.0 to 2.5.6.SEC02 (community releases) -- upgrading to 2.5.6.SEC03 here would solve the issue. • 2.5.0 to 2.5.7.SR01 (subscription customers) -- upgrading to 2.5.7.SR02 here would solve the issue.
This has been fixed in all versions going forward – the current release of SpringFramework is 3.2, released in Dec 2012.
Thanks,
-Pieter (SpringSource)
173
Checkout this Aspect Security/Minded Security evaluation of SpEL (google docs link) which the article you link to is probably referring (for the specific case of SpEL).
They describe how certain spring JSP tags double evaluate EL expressions. In these cases it may be possible for the user to submit data to the server in the form of SpEL e.g. as a request parameter with value ${bean.val} (URL encoded)
http://...?exp=$%7Bbean.val%7D
Inside JSP pages, the expression ${param.exp} will be resolved to the text ${bean.val} which by itself is safe. If however, that expression resides within an attribute of a spring JSTL tag, that resolved value may be evaluated again e.g. in the spring:message tag:
<spring:message message="${param.exp}" />
will result in the value ${bean.val} being passed through to the spring:message tag which will evaluate the bean.getVal() method. Hence we now have code submitted by the client and being run on the server.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
