Recently WhiteSource security scanner started reporting WS-2016-7107 against Spring-based applications. This is an old issue  in Spring Security that was reported in 2016. Unfortunately, at the moment of writing it, the issue has not been fixed yet. But there is a pull request  that should address it. The problem is that CSRF tokens generated by Spring Security are vulnerable to the BREACH  attack. The attack is even older — it was published in 2013. The BREACH attack is similar to the CRIME attack but BREACH doesn’t need TLS compression.

There are several conditions for a successful attack:

1. The attacker should be able to inject partially chosen plaintext into the victim’s requests (that is usually called chosen-plaintext attack model).
2. The attacker should be able to observe the encrypted traffic from the victim.
3. HTTP compression should be enabled.

TLS configuration doesn’t matter. In the case of a Spring-based application, a successful attack allows the attacker to recover the victim’s CSRF tokens. That’s what WS-2016-7107 is about.

The issue seems to get quite a lot of attention because WhiteSource reports it against almost all applications that use Spring Framework. Look at the number of linked WhiteSource reports in the original issue on GitHub. And that’s only projects on GitHub that use WhiteSource. What makes it worse is that the issue is still open. Therefore, it is not possible to fix this issue in an application just by bumping the version of Spring Security. Furthermore, if the proposed fix is accepted, it will be likely released only in the next major update of Spring Security because the fix updates the public API.

#java #security #software-development #spring-framework #vulnerability