Bug 1408164 – CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework ResourceServlet

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1408164 - (CVE-2016-9878) CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework ResourceServlet

Summary:	CVE-2016-9878 Spring Framework: Directory Traversal in the Spring Framework R...

Status:	NEW

Aliases:	CVE-2016-9878

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161221,repor...
Keywords:	Security

Depends On:	1408165
Blocks:	1408166
	Show dependency tree / graph

Reported:	2016-12-22 05:59 EST by Adam Mariš
Modified:	2018-07-18 11:09 EDT (History)
CC List:	67 users (show)

See Also:
Fixed In Version:	Spring Framework 3.2.18, Spring Framework 4.2.9, Spring Framework 4.3.5
Doc Type:	If docs needed, set a value
Doc Text:	It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct a directory traversal attacks.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3115	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security and bug fix update	2017-11-02 20:08:36 EDT

Groups: None (edit)

Description Adam Mariš 2016-12-22 05:59:26 EST

It was found that paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Upstream bug:

https://jira.spring.io/browse/SPR-14946

Upstream patches:

https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad
https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98
https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0

External References:

https://pivotal.io/security/cve-2016-9878

Comment 1 Adam Mariš 2016-12-22 06:00:35 EST

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1408165]

Comment 2 Jason Shepherd 2017-01-02 19:39:55 EST

Could not find any uses for ResourceServlet in Red Hat Mobile Application Platform. Marking as not affected.

Comment 4 Jason Shepherd 2017-01-02 20:27:52 EST

EAP 5 is in Extended Life Support phase, so we won't fix this moderate issue on that product.

Comment 6 errata-xmlrpc 2017-11-02 16:09:15 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aileenc
alazarot
aszczucz
avibelli
awels
bdawidow
bmcclain
chazlett
dandread
dblechte
dmcphers
eedri
epp-bugs
etirelli
fnasser
gjospin
gklein
gsterlin
gvarsami
hghasemb
huwang
java-sig-commits
jbalunas
jbpapp-maint
jcoleman
jialiu
jokerman
jolee
jpallich
jschatte
jshepherd
kconner
kverlaen
ldimaggi
lgao
lmeyer
lpetrovi
lsurette
mbaluch
mgoldboi
michal.skrivanek
mmccomas
mweiler
mwinkler
myarboro
nthomas
nwallace
puntogil
Rhev-m-bugs
rrajasek
rwagner
rzhang
sankarshan
sbonazzo
sisharma
soa-p-jira
srevivo
tcunning
theute
tiwillia
tjay
tkirby
twalsh
vhalbert
ykaul
ylavi