CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script
High
Spring by Pivotal
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.
In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.
Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service
Severity is high unless otherwise noted.
- Spring Boot
- 1.5.0 - 1.5.9
- 2.0.0.M1 - 2.0.0.M7
- Older unmaintained versions of Spring Boot were not analyzed and may be impacted.
Users of affected versions should apply the following mitigation:
- 1.5.x users should update to 1.5.10
- 2.0.x pre-release users should update to 2.0.0.RC1
This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.
2018-01-30: Initial vulnerability report published