Data Binding Expression Vulnerability in Spring Web Flow
Description
Spring Web Flow is a framework built on Spring MVC that manages web application navigation flows. A vulnerability exists in applications where the MvcViewFactoryCreator's useSpringBinding property remains at its default value of false. In this configuration, view states that process form submissions without explicit data binding declarations (missing the <binder> sub-element) are susceptible to malicious Expression Language (EL) injection attacks, potentially leading to remote code execution.
Remediation
Upgrade Spring Web Flow to a patched version that addresses CVE-2017-4971. Consult the official Pivotal security advisory for specific version requirements.
As an immediate mitigation for applications that cannot be upgraded immediately:
1. Enable Spring binding by setting the useSpringBinding property to true in your MvcViewFactoryCreator configuration:
<webflow:flow-builder-services id="flowBuilderServices" view-factory-creator="mvcViewFactoryCreator"/>
<bean id="mvcViewFactoryCreator" class="org.springframework.webflow.mvc.builder.MvcViewFactoryCreator">
<property name="useSpringBinding" value="true"/>
</bean>2. Alternatively, explicitly define data binding mappings using the
<binder> element in all view states that process form submissions:<view-state id="enterData" model="formObject">
<binder>
<binding property="firstName" />
<binding property="lastName" />
</binder>
<transition on="submit" to="nextState"/>
</view-state>3. Review all flow definitions to ensure proper input validation and binding configurations are in place.