- Threat Intelligence
- Alert: Spring Cloud Config Directory Traversal Vulnerability (CVE-2019-3799)
Alert: Spring Cloud Config Directory Traversal Vulnerability (CVE-2019-3799)
- Source:SANGFOR Security Center
- Date Published:2019-04-20
Spring is a layered Java/Java EE/.NET application framework. It is a layered open-source framework based on IOC and AOP architectures. It provides a modularized and elegant solution to use MVC as well as a unified API for various data access. In addition, it makes easier to configure Bean since it adopts IOC, provides an easy-to-use AOP and implements Transaction Management and other functions. It provides an easy development method that does not need a number of property files and helper classes which make the underlying code complex and confusing. It is widely used currently. Spring Data is a module in Spring framework that provides access to underlying data and Spring Data Commons is a shared basic module.
CVE-2019-3799 Technical Details: Attackers can exploit various ../ to perform directory traversal, access sensitive files in other directories on servers, because spring-cloud-config-server module does not impose security restrictions on inbound paths, causing sensitive information disclosure.
The latest official patches added isInvalidEncodedPath function to check inbound URL. If it contains %, URL decoding is conducted for the incoming URL, which prevents attackers from bypassing detection against URL containing ../ by URL encoding.
The newly added isInvalidPath detects keywords in URL. If a URL contains WEB-INF, META-INF, .., ../, warning will be triggered.
Download a vulnerable Spring Cloud Config from the following links:
After reproduction environment is ready, upload /test/pathtraversal/master/../../../../../etc/passwd by using GET method, and passwd file information will show in Linux, as shown below:
Globally, there are over 50,000 Spring-based servers are open to the Internet, among which over 28,000 are in China.
Spring Cloud Config 2.1.0 to 2.1.1
Spring Cloud Config 2.0.0 to 2.0.3
Spring Cloud Config 1.4.0 to 1.4.5References
Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.
For Sangfor NGAF customers, simply update security capabilities and turn on the corresponding security protection feature.
Spring has released patch to fix the vulnerability. Download the patch from the following link:https://github.com/spring-cloud/spring-cloud-config/releases