====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN441
_____________________________________________________________________

DATE                : 12/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache AsterixDB versions prior to
                                             0.9.5.

=====================================================================
http://mail-archives.apache.org/mod_mbox/asterixdb-dev/202008.mbox/%3cCAKMqrgcccGU6fKdkc+J_imhqXmCPGrMyALXR81ekPXC6GpfEPA@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-9479: AsterixDB directory traversal

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: None released, git commits
580b81aa5e8888b8e1b0620521a1c9680e54df73 to
28c0ee84f1387ab5d0659e9e822f4e3923ddc22d ,
fixed in 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d and mitigated by
694ffd194ce5c6e610f61368c1511778d0bff254
Description: When loading a UDF, a specially crafted zip file could
allow files to be placed outside of the UDF deployment directory.

Mitigation: Upgrade unreleased versions past
28c0ee84f1387ab5d0659e9e822f4e3923ddc22d or to 0.9.5 .
Don't allow untrusted access to the UDF endpoint.

Example: The zip file will contain a directory entry named ".."

Credit: This issue was discovered by Yiming Xiang of NSFOCUS


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================