All Vulnerability Reports

CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script


Severity

High

Vendor

Spring by Pivotal

Description

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Spring Boot
    • 1.5.0 - 1.5.9
    • 2.0.0.M1 - 2.0.0.M7
  • Older unmaintained versions of Spring Boot were not analyzed and may be impacted.
Mitigation

Users of affected versions should apply the following mitigation:

  • 1.5.x users should update to 1.5.10
  • 2.0.x pre-release users should update to 2.0.0.RC1
Credit

This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.

History

2018-01-30: Initial vulnerability report published