Protect against symlink attacks when deploying as systemd or init.d service #11397
Description
CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script
Severity
High
Vendor
Spring by Pivotal
Description
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.
In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.
Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service
Affected Pivotal Products and Versions
Severity is high unless otherwise noted.
- Spring Boot
- 1.5.0 - 1.5.9
- 2.0.0.M1 - 2.0.0.M7
Older unmaintained versions of Spring Boot were not analyzed and may be impacted.
Mitigation
Users of affected versions should apply the following mitigation:
1.5.x users should update to 1.5.10
2.0.x pre-release users should update to 2.0.0.RC1
Credit
This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.