Red Hat Bugzilla – Bug 1542002
CVE-2018-1196 Spring Boot: Symlink privilege escalation attack via launch script
Last modified: 2018-02-11 19:01:28 EST
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service[1]. The script included with Spring Boot 1.5.9 and earlier is susceptible to a symlink attack which allows the “run_user” to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the “run_user” requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible. External References: https://pivotal.io/security/cve-2018-1196
The example boosters for Spring Boot in Red Hat Openshift Application Runtimes (RHOAR) use Fabric8 Maven plugin and the OpenJDK8 base image. This image in turn uses the run-java-sh project to launch a executable jar. It is not installed as a service, nor does it use the embedded launch script. Marking RHOAR as not affected. OpenJDK8 base image: https://github.com/fabric8io-images/java/blob/master/images/jboss/openjdk8/jdk/Dockerfile
JBoss fuse uses couple of spring-boot artifacts in camel-spring-boot components however none of these components utilise the embedded launch script. Also Spring boot image for Fuse Integration Services uses fabric8 Java base image that has it's own dedicated script to execute the jar. So marking fuse as not affected.