Recently a directory traversal vulnerability in the Spring Framework was published (CVE-2018-1271). The Spring application will only be vulnerable when it is deployed on a Microsoft Windows based operating system and the application developer uses the “file://” scheme as the path of the static resources.
Figure 1: Example of a vulnerable resource path configuration
The answer for why only applications deployed on servers based on Microsoft Windows operating systems are vulnerable can be found in the Github commit that fixes the vulnerability. We can see that the “isInvalidEncodedPath” function covered only the case of “../” directory traversal attempts, while Windows operating systems supports paths that contains backslashes, and thus “..\” will also lead to directory traversal.
Figure 2: Spring Framework’s Github commit fixing the vulnerability
Mitigating the vulnerability with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing evasion techniques in URL, "Directory Traversal” and “IIS Backslashes”.
Figure 3: Exploitation attempt blocked by “Directory Traversals” evasion technique.
Figure 4: Exploitation attempt blocked by “IIS backslashes” evasion technique.