2 Replies - 8526 Views - Last Post: 25 January 2013 - 08:24 PM

#1 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10644
  • View blog
  • Posts: 39,515
  • Joined: 27-December 08

[Link] Spring Framework Flaw Allows Remote Code Injection

Post icon  Posted 20 January 2013 - 11:53 PM

Out of curiosity, how many of you all use Spring? How many of you all will this affect in a significant way?

Quote

There's a major flaw in the Java-based Spring Framework open-source development code that allows remote-code execution by attackers against applications built with it, according to the security firm Aspect Security, which identified the flaw.

"It allows attackers to inject code," says Jeff Williams, CEO at Aspect Security. The weakness is in what's called the "expression language" function in the Spring Framework development code.


http://www.javaworld...ution-hack.html

Is This A Good Question/Topic? 1
  • +

Replies To: [Link] Spring Framework Flaw Allows Remote Code Injection

#2 farrell2k  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 849
  • Posts: 2,591
  • Joined: 29-July 11

Re: [Link] Spring Framework Flaw Allows Remote Code Injection

Posted 21 January 2013 - 07:53 AM

The company I worked for last year abandoned it in favor of EE6. I don't know much about EE, but one of the web developers said they no longer needed Spring because of it, and because it was an easy transition, they did it.
Was This Post Helpful? 2
  • +
  • -

#3 nick2price  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 562
  • View blog
  • Posts: 2,826
  • Joined: 23-November 07

Re: [Link] Spring Framework Flaw Allows Remote Code Injection

Posted 25 January 2013 - 08:24 PM

Its quite interesting. My main focus hasnt really been java over the past 2 years, but when I looked into spring vs JavaEE then, it was all about spring. Now, it seems everything has moved towards JavaEE, so they must have really improved their standards. With my work these days, this wouldnt really effect me. What is interesting though is if you go on any large job posting site and search for java jobs, so many of them require a good knowledge of spring. If it allows for code injection, I can see it affecting many large companies (unless they have moved into JavaEE over the past 2 years aswell).
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1