SDxCentral
Join Log In
SD-WAN 5G Edge 1 IoT SDN NFV Containers Cloud Security AI Data Center Storage APM/NPM Open Source

Log In to SDxCentral

Log in with your email? Forgot your password?
  • Newsletters
  • eBriefs
  • Podcasts
  • Webinars
  • Videos
  • Directory
  • White Papers
  • Resources
  • Use Cases
  • Support

Join SDxCentral and get information tailored to your particular interests everyday.

Join
Sponsored:
Dell EMC Citrix Riverbed

Amazon, Google Vulnerable to Zip Slip, Says Snyk Security Research

Amazon, Google Vulnerable to Zip Slip, Says Snyk Security Research
Jessica Lyons Hardcastle
Jessica Lyons HardcastleJune 5, 2018
7:00 am MT
Email LinkedIn Facebook Twitter Reddit Hacker News

A security vulnerability called Zip Slip that’s prevalent in open source code could impact millions of companies using Google Cloud Platform (GCP), some Amazon Web Services (AWS) and Alibaba products, and other projects, according to security startup Snyk.

Zip Slip is an arbitrary file overwrite vulnerability. In a white paper published today, Snyk (pronounced “sneak”), which maintains a database of security vulnerabilities in open source libraries, warns that thousands of projects — and millions of users’ data — are at risk.

Snyk CEO Guy Podjarny said he’s unaware of any public exploits linked to this vulnerability, but he admitted that posting the security research will essentially start a race: “Will the owners fix the vulnerability? Or will hackers exploit it first?”

In an interview with SDxCentral, Podjarny explained that hackers exploit the vulnerability by using malicious file names — usually zip files — to gain access to other parts of the system. “The malicious archive contains a file that points to a folder that is outside the directory you are trying to extract the files to, and that is called arbitrary file write,” Podjarny said. “When that archive gets unzipped, the attacker’s file gets stored elsewhere on the system.”

The attacker can then overwrite sensitive files so that when the system runs it will use the attacker’s code. It can also cause a system to shut down entirely.

It’s especially widespread in Java ecosystems because Java doesn’t have a central library that does high-level processing of zip files. “In the absence of such a library, developers share code on platforms like Slack and other social channels,” Podjarny said.

This leads to developers handcrafting and unintentionally sharing vulnerable code.

“This vulnerability, Zip Slip, has been known to be a bad practice for a good many years,” Podjarny said. “What our research has discovered is that the vulnerability has been missed in many thousands of projects including ones from top-tier brands including HP [Hewlett Packard], Amazon, Pivotal, and many others, and thousands of open source projects.”

Snyk last month disclosed the vulnerability to vendors including Oracle, Pivotal, HP, Google, Amazon, LinkedIn, Alibaba, and others — as well as Apache, which houses several open source projects deemed vulnerable. At press time, Oracle, Pivotal, HP, LinkedIn, and Apache, among others, all fixed the vulnerable projects.

GCP, Amazon CodePipeline, and Alibaba Jstorm, however, are not yet fixed, according to Snyk.

The company’s threat researchers didn’t find any vulnerable code snippets or libraries in Ruby and Python ecosystems. A page on the Snyk GitHub repository has an up-to-date list of the latest vulnerability information.

Snyk uses its open source database to continuously monitor enterprise applications’ dependencies and respond to vulnerabilities. The goal is to find any open source security flaws before the applications deploy. But when that doesn’t happen, Snyk can also upgrade or patch vulnerabilities.

The company processes hundreds or even thousands of vulnerability disclosures every quarter, Podjarny said. “This is a far larger vulnerability disclosure than we typically do,” he said. “This is a very large-scale vulnerability.”

Open Source Ubiquity, Security Risk

The latest warning comes about a year after the Equifax data breach, which also exploited an open source framework library.

And it should teach security professionals, developers, and enterprises two lessons, Podjarny said. The first is about the importance of basic security hygiene and the need for automation.

“Security best practices, even ones that are well-known like not allowing these types of files, require better enforcement,” Podjarny said. “We need the world to invest in better automation, better ways of finding vulnerabilities within your code so you would not repeat mistakes that are known and reasonably easily caught.”

Another lesson is about the prevalence of shared open source libraries — and the potential security risks.

“Open source projects are used massively,” Podjarny said. “That implies that many parts of the world benefit from their goodness and are also susceptible to their risk. History shows typically it takes open source consumers a long time to clue in to the fact that a vulnerability like this has been disclosed and either download a fixed version or otherwise protect themselves.”

Related Articles

Google Gets Aggressive, Pledges $13B for U.S. Data Centers and Offices
Google Gets Aggressive, Pledges $13B for US Data Centers and Offices
AWS Remains Dominant Player in Growing Cloud Market, SRG reports
AWS Remains Dominant Player in Growing Cloud Market, SRG Reports
Dell EMC Boosts Multi-Cloud Data Protection Remote Office Management
Dell EMC Boosts Multi-Cloud Data Protection, Remote Office Management
IBM and Google Create New Certifications for Data Scientist and Cloud Skills
IBM and Google Create New Certifications for Data Scientist and Cloud Skills
Cisco Pushes ACI to AWS and Azure, Embraces ‘Data Center Anywhere’ Strategy
Cisco Pushes ACI to AWS and Azure, Embraces ‘Data Center Anywhere’ Strategy
Blockchain for Multi-Cloud Management? WANdisco’s Down to Boogie
Blockchain for Multi-Cloud Management? WANdisco’s Down to Boogie
SDxCentral Daily News

Join your Peers! Subscribe to SDxCentral's Newsletter

Article Tags:

Alibaba Group Holding Ltd Amazon Web Services (AWS) Breaking News Google Security

Jessica Lyons Hardcastle

About Jessica Lyons Hardcastle

Jessica is a Senior Editor, covering next-generation data centers, security, and software-defined storage at SDxCentral. She has worked as an editor and reporter for more than 15 years at a number of B2B publications including Environmental Leader, Energy Manager Today, Solar Novus Today and Silicon Valley Business Journal. Jessica is based in the Silicon Valley.

Have a story? Have a News Tip?

Send it to SDxCentral editors as editors@sdxcentral.com.

Subscribe to Get the Daily News!

About SDxCentral

  • Newsletters
  • About Us
  • Contact Us
  • Work With Us
  • Editorial Team
  • Careers
  • Legal
  • Support

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

© 2012-2019 SDxCentral, LLC, All Rights Reserved. SDNCentral™, the SDNCentral logo, SDxCentral™, SDxCentral logo, SDxNews™, SDxTech™, SDx™, the SDx logo, and DemoFriday™ are trademarks of SDxCentral, LLC in the U.S. and other countries.

  • Terms of Service
  • Privacy