It was discovered that the default implementation of FileUploadServlet and FileDownloadServlet provided by the UberFire Framework did not restrict the paths to which a file could be written or read from. In applications using this framework and exposing these servlets, a remote attacker could gain access to information stored in files accessible to the application container process, or execute arbitrary code by uploading malicious content.
Acknowledgements: Red Hat would like to thank David Jorm for reporting this issue.
Fix pushed to the following *feature branches* https://github.com/uberfire/uberfire/tree/0.3.x-BZ1169544 https://github.com/droolsjbpm/guvnor/tree/6.0.x-BZ1169544 https://github.com/droolsjbpm/kie-wb-distributions/tree/6.0.x-BZ1169544 Fix pushed to product branches 0.3.x/6.0.x: https://github.com/uberfire/uberfire/commit/21ec50eb15 https://github.com/droolsjbpm/guvnor/commit/eeb6232ffa https://github.com/droolsjbpm/kie-wb-distributions/commit/90eed433d3 Fix pushed: (0.3.x) https://github.com/uberfire/uberfire/commit/a471b260a2 (6.0.x) http://github.com/droolsjbpm/guvnor/commit/2058f3687 (6.0.x) http://github.com/droolsjbpm/kie-wb-distributions/commit/6fbed2d56
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html