Video: Open source: Companies skipping security update face big risk.
Security firm Snyk has disclosed a widespread and critical flaw in multiple archive file-extraction libraries found in thousands of open-source web application projects from HP, Amazon, Apache, Oracle, LinkedIn, Twitter and others.
As Snyk explains, some ecosystems, such as Java, don't provide a central software library for fully unpacking archive files, leading developers to write their own code snippets to enable that functionality.
In this case, those code snippets contain a vulnerability, dubbed Zip Slip, that exposes an application to a directory traversal attack. This flaw would allow an attacker to reach the root directory and from there enable remote command execution.
The reason the Zip Slip bug has spread among so many software projects is that it is contained in code snippets that are shared on developer community sites, such as StackOverflow, allowing the same flaw or variants of it to slip into other projects, according to Snyk.
Besides .zip, it can also affect other archive formats, such as .tar, .jar, .war, .cpio, .apk, .rar, and 7z.
To exploit Zip Slip, an attacker needs to use a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted.
"The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside the target folder in which they should reside," Snyck explains in a technical paper.
"The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine."
Snyk found the vulnerability in 15 archive extraction software libraries that don't validate file paths in an archive file.
Affected library developers have since fixed this issue after Snyk began alerting developers in April.
However, application developers that use any of these vulnerable libraries will need to update to a fixed version.
Snyck has published a list on GitHub of affected archive processing libraries for Java, .NET, Oracle, Apache, Ruby, and Go software.
Previous and related coverage
At least 1,885 vulnerable sites are in the Alexa top one million sites.
Researchers reveal a tricky technique that uses a CSS3 feature to let attackers recover Facebook user data.
The critical bug, caused by a simple oversight, was lurking in Steam's code for at least 10 years.
Open source vulnerabilities will often get disclosed earlier than those in managed software, but it's up to IT to apply the patches.
Good thing it's gone -- it was apparently a nasty one.