Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Gal_Goldshtein
F5 Employee
F5 Employee

Recently a directory traversal vulnerability in the Spring Framework was published (CVE-2018-1271). The Spring application will only be vulnerable when it is deployed on a Microsoft Windows based operating system and the application developer uses the “file://” scheme as the path of the static resources.

0151T000003d7BSQAY.png

Figure 1: Example of a vulnerable resource path configuration

The answer for why only applications deployed on servers based on Microsoft Windows operating systems are vulnerable can be found in the Github commit that fixes the vulnerability. We can see that the “isInvalidEncodedPath” function covered only the case of “../” directory traversal attempts, while Windows operating systems supports paths that contains backslashes, and thus “..\” will also lead to directory traversal.

0151T000003d7BTQAY.png

Figure 2: Spring Framework’s Github commit fixing the vulnerability

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing evasion techniques in URL, "Directory Traversal” and “IIS Backslashes”.

0151T000003d7BUQAY.png

Figure 3: Exploitation attempt blocked by “Directory Traversals” evasion technique.

0151T000003d7BVQAY.png

Figure 4: Exploitation attempt blocked by “IIS backslashes” evasion technique.

Version history
Last update:
‎15-Apr-2018 06:48
Updated by:
Contributors