The 2010 Pwnie Nominee For Lamest Vendor Response

SpringSource remote code execution vulnerability (CVE-2010-1622)

Vendor: SpringSource, a division of VMware

Most nominations for Lamest Vendor Response are a result of a vendor downplaying a vulnerability, but this particular case is different. In their advisory, SpringSource just casually announced their biggest security vulnerability ever as a “Critical” severity causing companies everywhere to go nuts patching and doing Emergency Releases. The vendor pretty much just said “Yeah remote code exec with 100% reliability on anybody running our shit, you should patch dude”.

What they DIDN’T mention is that this can only be exploited on a URL path that points to an uncompiled JSP, which is very rare. For any decently large website the window of vulnerability is extremely small or non-existent due to pre-compiled JSPs. This is all outlined in the original report by Meder Kydyraliev, who discovered the bug.

It should be noted that, based on my quick inspection of the code, TldLocationsCache gets URLs from class loader only once upon it’s initialization and thus, in order for an attack to work with Tomcat+Spring MVC combination, an attacker has to submit her request to overwrite class loader’s URLs before any of the JSP pages have been requested, which makes this attack a lot harder to carry out.