VMware SpringSource Remote Code Execution

July 8, 2010

SpringSource is a division of VMWare, Inc. provides a suite of software products that accelerate the entire build, run, and manage enterprise Java application lifecycle. SpringSource also provides support for the open source application frameworks Spring and Grails which run on the Java Virtual Machine. The SpringSource Spring Framework is a framework in the Java web development industry.

Java is a programming language originally developed by James Gosling at Sun Microsystems. Java is general-purpose, concurrent, class-based, and object-oriented, and is specifically designed to have as few implementation dependencies as possible. All code in Java is written inside a class and everything is an object, with the exception of the intrinsic data types (ordinal and real numbers, boolean values, and characters), which are not classes for performance reasons. A typical Java class is listed as bellow:

 // Outputs "Hello, world!" and then exits public class HelloWorld {    public static void main(String[] args) {        System.out.println("Hello, world!");    } }

A software construct used within the Spring Framework is the JavaBean. A JavaBean is a reusable software component that conforms to a particular convention. It is a Java Object that is serializable, has a nullary constructor, and allows access to properties using getter and setter methods. One way Spring Framework enables rapid web application development is by leveraging introspection and JavaBeans into a single concept: a form backing bean. A form backing bean enables a Java Spring developer to map web form input to a JavaBean. The mapping has several properties:

commandClass - the class of the object that will be used to represent the data in this form. commandName - the name of the command object. sessionForm validator - a class that validate data that is passed in from the form. formView - the JSP for the form successView - the JSP that the user is routed to if the form submits with no validation errors.

When an HTML form is submitted to a URL, the Spring web framework will instantiate an instance of the JavaBean specified by commandClass.

A remote code execution vulnerability exists in VMware SpringSource Spring Framework. The vulnerability is due to a design error when processing submissions to a URL utilizing a form backing bean. During the classs initialization, all properties of the Class object can be modified by a remote user; including the Class object's classLoader property. This allows the attackers to inject and execute arbitrary code with the privileges of the target service.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature:

  • 4551 VMware SpringSource Remote Code Execution

This issue is referred by CVE as CVE-2010-1622.