Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Read Vulnerability #700

Closed
RichoDemus opened this issue Nov 4, 2016 · 6 comments

Comments

@RichoDemus
Copy link

commented Nov 4, 2016

Just posting it here so it gets visbility, I didn't write the original message:
http://marc.info/?l=full-disclosure&m=147814643630342&w=2

There appears to be a vulnerability which lets users read any file from the file system

@jakaarl

This comment has been minimized.

Copy link
Contributor

commented Nov 4, 2016

Eeek! 8-O
If the core folks aren't available, I could take a stab at this tonight/tomorrow.

@nightwatchcyber

This comment has been minimized.

Copy link

commented Nov 4, 2016

CVE-2016-9177 has been assigned for this vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9177

@jakaarl

This comment has been minimized.

Copy link
Contributor

commented Nov 4, 2016

I wasn't able to reproduce in a minimal Spark app JAR, but it's indeed reproducible by running spark.examples.staticresources.StaticResources (in an IDE) and curling away at it. Will have to investigate more.

@jakaarl

This comment has been minimized.

Copy link
Contributor

commented Nov 5, 2016

Not really having the time and peace to thoroughly investigate, but based on some quick tests:

  • from IDE, both class path and external file resources are vulnerable
  • running in a standalone Jetty JAR, only external resources are accessible

The difference in running in an IDE and running as a packaged up is probably either due to resources being inside a JAR file, or different class loader setup. Should try running in an unpackaged application.

@perwendel

This comment has been minimized.

Copy link
Owner

commented Nov 5, 2016

We are available. The emails "AJ" tried to send all got caught by gmail's spam filters (which this guy was aware of that it could be the case but "failed" to write in his emails shown on marc.info)
We are addressing this ASAP.

@perwendel perwendel changed the title Arbitrary File Read Vulnerability Arbitrary File Read Vulnerability - Critical Nov 5, 2016
@perwendel perwendel changed the title Arbitrary File Read Vulnerability - Critical Arbitrary File Read Vulnerability Nov 5, 2016
@perwendel perwendel added WL:Critical and removed WL:Major labels Nov 5, 2016
perwendel added a commit that referenced this issue Nov 5, 2016
perwendel added a commit that referenced this issue Nov 6, 2016
…sue-700

Fix for #700 - Arbitrary File Read Vulnerability
@perwendel

This comment has been minimized.

Copy link
Owner

commented Nov 6, 2016

@perwendel perwendel closed this Nov 6, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.