Protect against symlink attacks when deploying as systemd or init.d service #11397
Assignees
Labels
Milestone
Comments
philwebb
added
type: blocker
philwebb
changed the title
|
Just an observation on this issue and Boot 1.5.10 release announcement - looking at 9b8cb9a I believe systemd isn't affected as it only uses |
wilkinsona
added a commit
that referenced
this issue
Feb 1, 2018
snicoll
pushed a commit
that referenced
this issue
Feb 10, 2018
Update embedded launch script to no longer change ownership of files or folders that already exist. Fixes gh-11397
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script
Severity
High
Vendor
Spring by Pivotal
Description
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.
In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.
Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service
Affected Pivotal Products and Versions
Severity is high unless otherwise noted.
Older unmaintained versions of Spring Boot were not analyzed and may be impacted.
Mitigation
Users of affected versions should apply the following mitigation:
1.5.x users should update to 1.5.10
2.0.x pre-release users should update to 2.0.0.RC1
Credit
This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.
The text was updated successfully, but these errors were encountered: