Skip Navigation
BlackBerry ThreatVector Blog

Update Now to Avoid the Zip Slip Vulnerability

FEATURE / 06.07.18 / Sally Feller

The Snyk Security team recently alerted the public to a vulnerability they’ve dubbed the Zip Slip vulnerability, which is an arbitrary file overwrite that results in remote command execution. Read through the technical paper on this vulnerability to best understand the scope of the issue. In summary:

“It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here). Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.”

The good news is that the team has already fixed the issue – so users just need to update. The bad news is that this vulnerability could affect thousands of projects built with this particular code.

Like many other bugs in the infosec world, this one is an old problem that’s still recurring. It falls to the users and DevOps professionals to fix their code, especially if they’ve used affected open source libraries. In particular, the Snyk Security team calls out the following ecosystems where the Zip Slip vulnerability has been found:

“…including JavaScript, Ruby, .NET and Go, but [it] is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow."

Best thing to do is to read the full technical report from Snyk and go comb through your code to make sure you’ve updated everything that needs updating. We’ll keep the coffee on for you.

Sally Feller

About Sally Feller

Content Strategy Manager at Cylance

Sally Feller is the Content Strategy Manager at Cylance, having worked in communications, public relations, and social media in the cybersecurity industry for five years. She moved from the world of book publishing to the world of infosec, building up a high profile for Duo Security during their early years. Now, at Cylance, Sally focuses on translating complex, technical content into clear, concise instructional articles for the average consumer and tech enthusiast. She’s thrilled to be working alongside such incredible researchers and data scientists and is passionate about teaching readers how Cylance can help organizations prevent cyberattacks.