Spring Security Advisories

CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script

HIGH | JANUARY 30, 2018 | CVE-2018-1196

Description

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service

Affected Spring Products and Versions

  • Spring Boot
    • 1.5.0 - 1.5.9
    • 2.0.0.M1 - 2.0.0.M7
  • Older unmaintained versions of Spring Boot were not analyzed and may be impacted.

Mitigation

Users of affected versions should apply the following mitigation:

  • 1.5.x users should update to 1.5.10
  • 2.0.x pre-release users should update to 2.0.0.RC1

Credit

This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.

History

  • 2018-01-30: Initial vulnerability report published

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all