Open-source security: Zip Slip critical flaw hits thousands of projects. Update now

Faults in hand-made archive file-processing software libraries spread flaw to thousands of open-source projects.
Written by Liam Tung, Contributing Writer

Video: Open source: Companies skipping security update face big risk.

Security firm Snyk has disclosed a widespread and critical flaw in multiple archive file-extraction libraries found in thousands of open-source web application projects from HP, Amazon, Apache, Oracle, LinkedIn, Twitter and others.

As Snyk explains, some ecosystems, such as Java, don't provide a central software library for fully unpacking archive files, leading developers to write their own code snippets to enable that functionality.

In this case, those code snippets contain a vulnerability, dubbed Zip Slip, that exposes an application to a directory traversal attack. This flaw would allow an attacker to reach the root directory and from there enable remote command execution.

The vulnerable code has been found in multiple archive extraction libraries for use across numerous ecosystems, including .NET, Java, JavaScript, Go, and Ruby.

See: 20 quick tips to make Linux networking easier (free PDF)

The reason the Zip Slip bug has spread among so many software projects is that it is contained in code snippets that are shared on developer community sites, such as StackOverflow, allowing the same flaw or variants of it to slip into other projects, according to Snyk.

Besides .zip, it can also affect other archive formats, such as .tar, .jar, .war, .cpio, .apk, .rar, and 7z.

To exploit Zip Slip, an attacker needs to use a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted.

"The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside the target folder in which they should reside," Snyck explains in a technical paper.

"The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine."

Snyk found the vulnerability in 15 archive extraction software libraries that don't validate file paths in an archive file.

Affected library developers have since fixed this issue after Snyk began alerting developers in April.

However, application developers that use any of these vulnerable libraries will need to update to a fixed version.

Snyck has published a list on GitHub of affected archive processing libraries for Java, .NET, Oracle, Apache, Ruby, and Go software.

Previous and related coverage

Over 115,000 Drupal sites still vulnerable to critical flaw

At least 1,885 vulnerable sites are in the Alexa top one million sites.

Chrome, Firefox CSS3 flaw may have let attackers grab Facebook user data

Researchers reveal a tricky technique that uses a CSS3 feature to let attackers recover Facebook user data.

Decade-old remote code execution vulnerability patched in Valve Steam client

The critical bug, caused by a simple oversight, was lurking in Steam's code for at least 10 years.

Enterprise IT shouldn't blame open source for their own poor security practices (TechRepublic)

Open source vulnerabilities will often get disclosed earlier than those in managed software, but it's up to IT to apply the patches.

Steam fixed a bug that reportedly left PCs vulnerable for over 10 years (CNET)

Good thing it's gone -- it was apparently a nasty one.

Editorial standards