BSA-2018-662

Brocade Security Advisory ID

BSA-2018-662

Initial Publication Date

06/21/2018

Last Updated

08/28/2018

Revision

1.1: update

Risk Impact

Medium

Workaround

N/A

Component

Zip Slip

Affected CVE

CVE-2018-1002203, CVE-2018-1002204, CVE-2018-1002200, CVE-2018-1002201, CVE-2018-1002202, CVE-2018-1002205, CVE-2018-1002206, CVE-2018-1002207, CVE-2018-8008, CVE-2018-8009, CVE-2018-1261, CVE-2018-1263, CVE-2018-12036, CVE-2018-1002208, CVE-2018-1000544

Summary

Snyk Security team  discloses a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution.
The flaw which has been named Zip Slip affects numerous archive-extraction libraries and archive formats. 
More information is available at: https://github.com/snyk/zip-slip-vulnerability.

Brocade updates its advisory as affected librairies are reported and investigated. 

Known CVEs

unzipper  CVE-2018-1002203
npm library CVE-2018-1002204
plexus-archiver  CVE-2018-1002200
zt-zip CVE-2018-1002201
zip4j CVE-2018-1002202
DotNetZip.Semverd CVE-2018-1002205
SharpCompress CVE-2018-1002206
Go library mholt/archiver CVE-2018-1002207
Apache Storm CVE-2018-8008
Apache Hadoop CVE-2018-8009
Pivotal Spring-integration-zip CVE-2018-1261, CVE-2018-1263
OWASP Dependency-Check CVE-2018-12036
Sharplibzip CVE-2018-1002208
Rubyzip CVE-2018-1000544

 Product Confirmed Non Vulnerable

No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities.

Version Change Date
1.0 Initial Publication June 21, 2018
1.1 Update Rubyzip, Sharplibzip August 29, 2018

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.