Bug 1542002 (CVE-2018-1196)

Summary: CVE-2018-1196 Spring Boot: Symlink privilege escalation attack via launch script
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, bgeorges, cmoulliard, jbalunas, jpallich, jshepherd, lthon, mszynkie, pgallagh, rruss, trogers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-boot 1.5.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:39:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542003    

Description Andrej Nemec 2018-02-05 11:46:36 UTC 
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system.

In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server.

Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

External References:

https://pivotal.io/security/cve-2018-1196
Comment 1 Jason Shepherd 2018-02-06 00:19:58 UTC 
The example boosters for Spring Boot in Red Hat Openshift Application Runtimes (RHOAR) use Fabric8 Maven plugin and the OpenJDK8 base image. This image in turn uses the run-java-sh project to launch a executable jar. It is not installed as a service, nor does it use the embedded launch script. Marking RHOAR as not affected.

OpenJDK8 base image:
https://github.com/fabric8io-images/java/blob/master/images/jboss/openjdk8/jdk/Dockerfile
Comment 2 Hooman Broujerdi 2018-02-12 00:01:09 UTC 
JBoss fuse uses couple of spring-boot artifacts in camel-spring-boot components however none of these components utilise the embedded launch script.
Also Spring boot image for Fuse Integration Services uses fabric8 Java base image that has it's own dedicated script to execute the jar. So marking fuse as not affected.