The Snyk Security team recently alerted the public to a vulnerability they’ve dubbed the Zip Slip vulnerability, which is an arbitrary file overwrite that results in remote command execution. Read through the technical paper on this vulnerability to best understand the scope of the issue. In summary:
“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here). Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.”
The good news is that the team has already fixed the issue – so users just need to update. The bad news is that this vulnerability could affect thousands of projects built with this particular code.
Like many other bugs in the infosec world, this one is an old problem that’s still recurring. It falls to the users and DevOps professionals to fix their code, especially if they’ve used affected open source libraries. In particular, the Snyk Security team calls out the following ecosystems where the Zip Slip vulnerability has been found:
“…including JavaScript, Ruby, .NET and Go, but [it] is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow."
Best thing to do is to read the full technical report from Snyk and go comb through your code to make sure you’ve updated everything that needs updating. We’ll keep the coffee on for you.
