Arbitrary File Read Vulnerability #700

Closed
RichoDemus opened this Issue Nov 4, 2016 · 6 comments

Projects

None yet

5 participants

@RichoDemus

Just posting it here so it gets visbility, I didn't write the original message:
http://marc.info/?l=full-disclosure&m=147814643630342&w=2

There appears to be a vulnerability which lets users read any file from the file system

@jakaarl
Contributor
jakaarl commented Nov 4, 2016

Eeek! 8-O
If the core folks aren't available, I could take a stab at this tonight/tomorrow.

@nightwatchcyber

CVE-2016-9177 has been assigned for this vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9177

@jakaarl
Contributor
jakaarl commented Nov 4, 2016 edited

I wasn't able to reproduce in a minimal Spark app JAR, but it's indeed reproducible by running spark.examples.staticresources.StaticResources (in an IDE) and curling away at it. Will have to investigate more.

@jakaarl
Contributor
jakaarl commented Nov 5, 2016

Not really having the time and peace to thoroughly investigate, but based on some quick tests:

  • from IDE, both class path and external file resources are vulnerable
  • running in a standalone Jetty JAR, only external resources are accessible

The difference in running in an IDE and running as a packaged up is probably either due to resources being inside a JAR file, or different class loader setup. Should try running in an unpackaged application.

@perwendel
Owner
perwendel commented Nov 5, 2016 edited

We are available. The emails "AJ" tried to send all got caught by gmail's spam filters (which this guy was aware of that it could be the case but "failed" to write in his emails shown on marc.info)
We are addressing this ASAP.

@perwendel perwendel changed the title from Arbitrary File Read Vulnerability to Arbitrary File Read Vulnerability - Critical Nov 5, 2016
@perwendel perwendel changed the title from Arbitrary File Read Vulnerability - Critical to Arbitrary File Read Vulnerability Nov 5, 2016
@perwendel perwendel added WL:Critical and removed WL:Major labels Nov 5, 2016
@perwendel
Owner
perwendel commented Nov 6, 2016 edited
@perwendel perwendel closed this Nov 6, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment