CyRC Vulnerability Analysis: CVE-2022-1271 in gzip, but it’s not as bad as it sounds

CVE-2022-1271 is a new vulnerability affecting gzip, a widely used open source component for archiving, compressing, and decompressing files.

Cybersecurity Live - Boston

CVE-2022-1271, also tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0958, is a bug in gzip, a file format and software application used for archiving, compressing, and decompressing files. Although a vulnerability in gzip has the potential to be cataclysmic, this vulnerability is actually in zgrep, a command used for searching through a gzip archive for a string.

Using filenames with newline characters can confuse zgrep, which can enable an attacker to overwrite arbitrary files. When GNU sed is also installed, the attacker can gain the ability to perform code execution. Most applications won’t have gzip bundled in this way, but they might make a runtime call to a command line to invoke zgrep. In such a case, if the application uses unsanitized user input for the filename, the vulnerability could be exposed.

Container images used for cloud deployments will almost certainly have gzip. However, if you are not using the zgrep command, you won’t be affected by this vulnerability.

Remediation efforts for CVE-2022-1271

Software composition analysis (SCA) tools are designed for exactly this kind of situation. An SCA tool scans application source code and container images and compiles a catalog of the open source software components, known as a software Bill of Materials (SBOM). When new vulnerabilities are discovered, such as CVE-2022-1271, a good SCA tool will proactively notify you so you can address the issue right away.

If your application does use zgrep, and an attacker could supply filenames with newlines, you should upgrade gzip as soon as possible to the latest version, which is 1.12.

Check out our video on CVE-2022-1271, which includes a demonstration.

*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Jonathan Knudsen. Read the original post at: