Headline
GHSA-9654-pr4f-gh6m: HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057
Impact
Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.
This issue allows a malicious actor to potentially break out of the TerminologyCacheManager cache directory. The impact is limited to sibling directories.
To demonstrate the vulnerability, consider userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.
Why?
To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out").
The check is bypassed although /outnot is not under the /out directory.
It’s important to understand that the terminating slash may be removed when using various String representations of the File object.
For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/;
however, println(new File("/var", "/").getCanonicalPath()) will print /var.
The Fix
Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())
Other Examples
- CVE-2022-31159 - aws/aws-sdk-java
- CVE-2022-23457 - ESAPI/esapi-java-legacy
Vulnerability
https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
While getAbsolutePath will return a normalized path, because the string path is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.
Patches
All org.hl7.fhir.core libraries should be updated to 5.6.106.
Workarounds
Unknown
References
- https://snyk.io/research/zip-slip-vulnerability
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-9654-pr4f-gh6m
HL7 FHIR Partial Path Zip Slip due to bypass of CVE-2023-24057
Critical severity GitHub Reviewed Published Mar 10, 2023 in hapifhir/org.hl7.fhir.core • Updated Mar 10, 2023
Package
maven ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven)
Affected versions
< 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven)
maven ca.uhn.hapi.fhir:org.hl7.fhir.r4b (Maven)
maven ca.uhn.hapi.fhir:org.hl7.fhir.r5 (Maven)
maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven)
maven ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven)
Impact
Zip Slip protections implemented in CVE-2023-24057 (GHSA-jqh6-9574-5x22) can be bypassed due a partial path traversal vulnerability.
This issue allows a malicious actor to potentially break out of the TerminologyCacheManager cache directory. The impact is limited to sibling directories.
To demonstrate the vulnerability, consider userControlled.getCanonicalPath().startsWith(“/usr/out”) will allow an attacker to access a directory with a name like /usr/outnot.
Why?
To demonstrate this vulnerability, consider "/usr/outnot".startsWith(“/usr/out”).
The check is bypassed although /outnot is not under the /out directory.
It’s important to understand that the terminating slash may be removed when using various String representations of the File object.
For example, on Linux, println(new File(“/var”)) will print /var, but println(new File("/var", “/”) will print /var/;
however, println(new File("/var", “/”).getCanonicalPath()) will print /var.
The Fix
Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())
Other Examples
- CVE-2022-31159 - aws/aws-sdk-java
- CVE-2022-23457 - ESAPI/esapi-java-legacy
Vulnerability
https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
While getAbsolutePath will return a normalized path, because the string path is not slash terminated, the guard can be bypassed to write the contents of the Zip file to a sibling directory of the cache directory.
Patches
All org.hl7.fhir.core libraries should be updated to 5.6.106.
Workarounds
Unknown
References
- https://snyk.io/research/zip-slip-vulnerability
References
- GHSA-9654-pr4f-gh6m
- https://github.com/hapifhir/org.hl7.fhir.core/blob/b0daf666725fa14476d147522155af1e81922aac/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/TerminologyCacheManager.java#L99-L105
- https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/5.6.106
Published to the GitHub Advisory Database
Mar 10, 2023
Last updated
Mar 10, 2023