Bug 1593527 (CVE-2018-10862) - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)
Summary: CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10862
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1594635 1594634 1594636 1700959 1700960
Blocks: 1593112
TreeView+ depends on / blocked
 
Reported: 2018-06-21 02:09 UTC by Sam Fowler
Modified: 2021-02-17 00:06 UTC (History)
88 users (show)

Fixed In Version: wildfly-core 6.0.0.Alpha3
Doc Type: If docs needed, set a value
Doc Text:
It was found that the explode function of the deployment utility in jboss-cli and console that allows extraction of files from an archive does not perform necessary validation for directory traversal. This can lead to remote code execution.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:29:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2276 0 None None None 2018-07-26 15:48:54 UTC
Red Hat Product Errata RHSA-2018:2277 0 None None None 2018-07-26 15:40:10 UTC
Red Hat Product Errata RHSA-2018:2279 0 None None None 2018-07-26 15:49:48 UTC
Red Hat Product Errata RHSA-2018:2423 0 None None None 2018-08-15 11:32:12 UTC
Red Hat Product Errata RHSA-2018:2424 0 None None None 2018-08-15 11:33:53 UTC
Red Hat Product Errata RHSA-2018:2425 0 None None None 2018-08-15 11:21:19 UTC
Red Hat Product Errata RHSA-2018:2428 0 None None None 2018-08-15 11:29:03 UTC
Red Hat Product Errata RHSA-2018:2643 0 None None None 2018-09-04 13:46:16 UTC
Red Hat Product Errata RHSA-2019:0877 0 None None None 2019-04-24 18:46:52 UTC
Red Hat Product Errata RHSA-2020:2321 0 None None None 2020-05-26 16:09:18 UTC
Red Hat Product Errata RHSA-2020:2562 0 None None None 2020-06-15 16:14:29 UTC

Description Sam Fowler 2018-06-21 02:09:46 UTC 
WildFly does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files.

This is an instance of the 'Zip Slip' vulnerability.


Upstream Issue:

https://issues.jboss.org/browse/WFCORE-3938


External Reference:

https://snyk.io/research/zip-slip-vulnerability
Comment 5 Doran Moppert 2018-06-25 04:26:45 UTC 
Statement:

This vulnerability can only be exploited by users with deployment permissions.
Comment 6 Doran Moppert 2018-06-25 04:30:09 UTC 
Created wildfly-common tracking bugs for this issue:

Affects: epel-7 [bug 1594635]


Created wildfly-core tracking bugs for this issue:

Affects: fedora-all [bug 1594634]
Comment 9 errata-xmlrpc 2018-07-26 15:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2277 https://access.redhat.com/errata/RHSA-2018:2277
Comment 10 errata-xmlrpc 2018-07-26 15:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:2276 https://access.redhat.com/errata/RHSA-2018:2276
Comment 11 errata-xmlrpc 2018-07-26 15:49:28 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2018:2279 https://access.redhat.com/errata/RHSA-2018:2279
Comment 12 errata-xmlrpc 2018-08-15 11:20:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425
Comment 13 errata-xmlrpc 2018-08-15 11:28:40 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.4 zip

Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428
Comment 14 errata-xmlrpc 2018-08-15 11:31:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423
Comment 15 errata-xmlrpc 2018-08-15 11:33:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424
Comment 16 Steve Goodman 2018-08-30 10:13:21 UTC 
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field.

 

The documentation team will review, edit, and approve the text.

 

If this bug does not require doc text, please set the 'requires_doc_text' flag to -.
Comment 17 errata-xmlrpc 2018-09-04 13:45:52 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
Comment 23 errata-xmlrpc 2019-04-24 18:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877
Comment 25 errata-xmlrpc 2020-05-26 16:09:14 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
Comment 26 errata-xmlrpc 2020-06-15 16:14:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562
Note You need to log in before you can comment on or make changes to this bug.