The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity threat CVE-2016-9878

Spring Framework: directory traversal via ResourceServlet

Synthesis of the vulnerability

An attacker can traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Severity of this bulletin: 2/4.
Creation date: 22/12/2016.
Références of this threat: 1996375, 2015813, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-9878, DLA-1853-1, FEDORA-2016-f341d71730, RHSA-2017:3115-01, VIGILANCE-VUL-21453.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Spring Framework product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

This computer threat note impacts software or systems such as Debian, Fedora, QRadar SIEM, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Percona Server, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.

Our Vigil@nce team determined that the severity of this weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat

Spring Framework: versions 4.3.5, 4.2.9, 3.2.18.
Versions 4.3.5, 4.2.9, 3.2.18 are fixed.

Debian 8: new libspring-java packages.
New packages are available:
  Debian 8: libspring-java 3.0.6.RELEASE-17+deb8u1

Fedora 25: new springframework packages.
New packages are available:
  Fedora 25: springframework 3.2.18-1.fc25

IBM QRadar SIEM: fixed versions for Spring Framework.
Fixed versions are indicated in information sources.

Liferay Portal: version 7.1.3 CE GA 4.
The version 7.1.3 CE GA 4 is fixed.

MariaDB: version 5.5.60.
The version 5.5.60 is fixed:
  https://mariadb.com/

Oracle MySQL: version 5.5.60.
The version 5.5.60 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.6.40.
The version 5.6.40 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.22.
The version 5.7.22 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Percona Server for MySQL: version 5.5.60-38.12.
The version 5.5.60-38.12 is fixed:
  https://www.percona.com/

Percona Server: version 5.7.22-22.
The version 5.7.22-22 is fixed:
  https://www.percona.com/doc/percona-server/5.7/installation.html

Percona XtraDB Cluster: version 5.7.22-29.26.
The version 5.7.22-29.26 is fixed:
  http://www.percona.com/downloads/Percona-XtraDB-Cluster-57/

Red Hat JBoss Fuse/A-MQ: version 6.3 R5.
The version 6.3 R5 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq.broker&version=6.3.0

SAS: version 9.4M6 TS1M6 3-11-2019.
The version 9.4M6 is fixed:
  https://support.sas.com/
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities announces. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities.