Symlink privilege escalation attack via Spring Boot launch script

HIGH | JANUARY 30, 2018 | CVE-2018-1196

Description

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service

Affected Spring Products and Versions

Spring Boot:

  • 1.5.9 and earlier

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
1.5.10OSS

No further mitigation steps are necessary.

Credit

This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.

History

  • 2018-01-30: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all