Back on the 16th of July ZDNet writer Paula Rooney published this post, which aggregates some of the details around the Spring MVC framework issues. Reading the write-up I feel like there are some complex issues at work here, and patching isn't just simply done to remediate these.
What I do find interesting is that Ryan Berg from Ounce Labs doesn't see these issues as "vulnerabilities", but rather features that are "insecure by design". To quote the article further...
"SpringSource plans to release in the near future an update in one of its MVC demo templates to show app developers how to avoid this vulnerability. Ounce maintains that the vulnerability is not a security flaw in the framework itself but an application development issue. Many Java applications and business processes built on Spring are insecure by default and should be fixed – even if it means breaking existing applications, Berg said."How interesting. I wonder if this is limited to Java? What about the Microsoft .Net frameworks... and what about all the extensive AJAX frameworks? I wonder if we're building-in security defects simply by using some of these new frameworks?
More to come, as I try and learn a little more about how frameworks can introduce vulnerabilities into code and development.