CVE-2024-37084: Critical Vulnerability in Spring Cloud Data Flow Allowing Attackers to Compromise Server
A critical vulnerability, named CVE-2024-37084, has been discovered in Spring Cloud Data Flow (SCDF) that affects all versions prior to 2.11.4. This vulnerability allows a malicious user who has access to the Skipper server API the ability to use a crafted upload request to write an arbitrary file to any location on the server's filesystem. This could potentially lead to a complete compromise of the server.
In this post, we will examine the details of this vulnerability, the steps required to exploit it, and the available mitigations to keep your SCDF instances secure.
Vulnerability Details
The developers of Spring Cloud Data Flow were informed of this vulnerability, and an official security advisory was published on their GitHub repository. You can find the full advisory here.
The vulnerability is caused by a lack of proper validation on file paths when handling file upload requests on the Skipper server API. This allows an attacker to craft a specially formatted request and use the "../" (dot-dot-slash) path traversal technique to write files anywhere on the server's filesystem.
Exploiting the Vulnerability
To exploit this vulnerability, the attacker would need access to the Skipper server API and the ability to send specially crafted HTTP requests to the server. A common tool for this is a web application testing tool like curl.
Here's a sample curl command to demonstrate how one might exploit this vulnerability
curl -X POST -H "Content-Type: multipart/form-data" -F "file=@malicious.jar" -F "path=../../../../../../etc/malicious.jar" "http://[Skipper_Server_Address]:[Skipper_Server_Port]/api/packages";
In this example, the attacker uploads a malicious JAR file and sets the path parameter to "../../../../../../etc/malicious.jar". This could potentially place the malicious JAR file in the server's /etc directory, which, if executed, could grant the attacker further access and control over the server.
Mitigation and Solution
The developers of Spring Cloud Data Flow have released a patch to resolve this vulnerability in SCDF versions 2.11.4 and later. If you haven't already updated your SCDFinstances, you should do so immediately.
To secure your SCDFinstances, follow these steps
1. Visit the Spring Cloud Data Flow GitHub releases page here.
`
4. Add proper file upload validation by updating the max-file-size and max-request-size properties in your application.yml or application.properties file:
Wrapping Up
The CVE-2024-37084 vulnerability poses a serious threat to any organization using unpatched versions of Spring Cloud Data Flow. By following the mitigation steps provided above and staying up-to-date on the latest security advisories, you can greatly reduce the risk of being attacked and keep your SCDF instances secure.
Timeline
Published on: 07/25/2024 10:15:07 UTC
Last modified on: 08/01/2024 13:53:22 UTC