Resources Blog Making sure our users don't zip-slip and fall

Making sure our users don't zip-slip and fall

Security vulnerabilities in open source software are a fact of life. Sonatype has extensive automated monitoring systems in place designed to discover zero days prior to their public disclosure.  

We recently became aware of a vulnerability in plexus-archiver, a component widely used by Apache Maven and related plugins. A maliciously crafted compressed file (zip, gz, etc), can contain files that when extracted to disk, can traverse the file system potentially leading to escalated attacks. This happens when the files in the archive use paths like ../../. Plexus would unpack these files using the relative path without restricting the output only to the desired location.

Fortunately, in typical operation, Maven doesn't unpack the components it processes, so the vast majority of usage is unaffected. Additionally, an attacker would have to both create and share the malicious archive, and then get a victim to use that archive for unpacking...again where most archives aren't intended to be unpacked. Considering OS level permissions to write a file outside the intended path structure contained within the archive, this is a fairly long kill chain of unlikely events.

Sonatype has provided The Central Repository for over a decade and we take security of the users very seriously. Once we became aware of the vulnerability, our first thoughts were to ensure Central wasn't being used now, or in the future, to deliver payloads for this exploit.

The analysis phase required the investigation of  components containing well over 8 billion individual file paths. In the process, we found that it is fairly common for components to include one level of directory traversal (e.g ../xxx), but exceedingly rare to see anything deeper than this. We found many “interesting” file paths but did not find any malicious file paths in the existing content.

To protect against copy-cat exploits down the road, we have taken steps to monitor, detect and block components in the future, which may include directory traversal attacks in their paths.

Not only are Sonatype's roots in open source, but we take our jobs as providers and caretakers of Central seriously. We believe in doing right by the community, making a difference where we can, and leaving things better than we found them. And, will continue to put processes in place to ensure our users never slip and fall. 

Picture of Brian Fox

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.