Spring Cloud Config directory traversal vulnerability, CVE-2019-3799）early warning-vulnerability warning-the black bar safety net

Recently, the Spring official team in the latest security update, disclose a SpringCloud Config directory traversal vulnerability, CVE-2019-3799 on. Vulnerability official rated as High, belong to high-risk vulnerabilities. The vulnerability in essence is allows an application program through the spring-cloud-config-server module to get any configuration file,the attacker can construct a malicious URL, implemented a directory traversal vulnerability.
Spring product description
Spring is a Java/Java
EE/. NET layered application framework. It is based on IOC and AOP framework of multi-tier J2EE system to the open source framework of modular good and to achieve a very elegant MVC, the different data access technology to provide a unified interface. In addition, it uses the IOC can easily achieve the Bean of the Assembly, provided the AOP simple and easy to use and, accordingly, to achieve the TransactionManagement and other functions. Spring provides a simple development approach, this development Way, avoid those that may cause the underlying code to become complicated confusion of a large number of properties files and a Help class. Currently this framework is used very active. SpringData is the Spring framework to provide the underlying data access project module, Spring Data Commons is a common base module.
Vulnerability analysis
CVE-2019-3799 vulnerability principle: due to the spring-cloud-config-server module is not on the incoming path to security restrictions, the attacker can use multiple…%252f directory traversal, view server the other path-sensitive files, resulting in sensitive information leak.
Official fix patch as follows:
! [](/Article/UploadPic/2019-4/2019419135610520. png)
By Patch comparison, the latest official version added isInvalidEncodedPath method, the incoming url to determine if there is%, then the incoming url is url decoded. To prevent the attacker through the url encoding to bypass…/test.
! [](/Article/UploadPic/2019-4/2019419135612408. png)
The newly added isInvalidPath method then is to in the url the keyword is detected, if the presence of WEB-INF, META-INF,…, a…/, it will trigger the warning on.
Vulnerability reproduction
Download a vulnerability exists in the Spring Cloud Config, download the following address:
https://github.com/spring-cloud/spring-cloud-config the.
Boot environment, use the get method of the incoming/test/pathtraversal/master/…%252f…%252f…%252f…%252f…/etc/passwd can be read to the linux passwd file information.
! [](/Article/UploadPic/2019-4/2019419135617788. png)
The scope of the impact
Currently according to statistics, in the global range of the Internet open Spring server the number of assets up to 5 million units, of which the home region of China affected assets number of 28,000 or more.
Currently affected by the Spring Cloud Config version:
Spring Cloud Config 2.1.0 to 2.1.1
Spring Cloud Config 2.0.0 to 2.0.3
Spring Cloud Config 1.4.0 to 1.4.5
Repair recommendations
Spring the latest official version has the Spring Cloud Config directory traversal vulnerability fixes, download address: https://github.com/spring-cloud/spring-cloud-config/releases
Reference links
https://pivotal.io/security/cve-2019-3799