[CVE-2016-0709] Apache Jetspeed information disclosure vulnerability

[David S Taylor <da...@bluesunrise.com>]

CVE-2016-0709: Code execution via ZIP file path traversal

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.2.0 to 2.2.2
Jetspeed 2.3.0
The unsupported Jetspeed 2.1.x versions may be also affected

Description:
The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited

Mitigation:
2.2.0 - 2.3.0 users should upgrade to 2.3.1

Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html <http://tomcat.apache.org/security.html>