We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
Temporary directory hijacking.
This vulnerability exists because Netflix/hollow will use files/directories that already exist on the system without first checking their permissions.
This vulnerability can be seen here: https://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L112-L140
Since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions.
Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
https://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L110
As such, an attacker is fully able to control both the contents of the files and directories that HollowFilesystemBlobStager operates on.
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md
This vulnerability has not been patched.
JLLeitschuh Analyst
Impact
Temporary directory hijacking.
This vulnerability exists because Netflix/hollow will use files/directories that already exist on the system without first checking their permissions.
This vulnerability can be seen here:
https://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L112-L140
Since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions.
Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
https://github.com/Netflix/hollow/blob/eeefe2454ed2efce60b8971e1a02d8f7375ea7fb/hollow/src/main/java/com/netflix/hollow/api/producer/fs/HollowFilesystemBlobStager.java#L110
As such, an attacker is fully able to control both the contents of the files and directories that HollowFilesystemBlobStager operates on.
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/
https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md
Fixed Version
This vulnerability has not been patched.