Description

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

[1] https://docs.spring.io/spring-boot/docs/1.5.x/reference/htmlsingle/#deployment-service

Affected Spring Products and Versions

• Spring Boot
  • 1.5.0 - 1.5.9
  • 2.0.0.M1 - 2.0.0.M7
• Older unmaintained versions of Spring Boot were not analyzed and may be impacted.

Mitigation

Users of affected versions should apply the following mitigation:

• 1.5.x users should update to 1.5.10
• 2.0.x pre-release users should update to 2.0.0.RC1

Credit

This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal.

History

2018-01-30: Initial vulnerability report published