apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

In apport (the crash reporting system for Ubuntu), the read_file() function in apport/hookutils.py does not prevent following symbolic links or opening FIFOs. When this function is invoked by the openjdk-8 package’s Apport hook (source_openjdk-8.py), it constructs a file path using user-controlled data (ProcCwd) without sanitization [1]. An attacker can place a symbolic link pointing to any sensitive file (e.g., /etc/shadow) at the expected path, causing the hook to read its contents during a crash report. The vulnerability affects apport versions prior to the fix released in June 2021.

Exploitation

A local attacker with the ability to create symbolic links in the working directory of a crashing OpenJDK 8 process can trigger the exploit. The attacker must first cause or wait for an OpenJDK 8 application to crash (e.g., by triggering a JVM crash). When the crash occurs, Apport runs the hook, which reads the file hs_err_pid.log from ProcCwd. If the attacker has pre-created a symlink at that location pointing to an arbitrary file, read_file() will follow it and include the target file’s content (up to 100 KB) in the crash report, which is then stored in /var/crash/ and may be readable by other local users. No special privileges beyond local access and the ability to write to the crash process’s working directory are required; the protected_symlinks sysctl (fs.protected_symlinks) may mitigate this on systems where it is enabled, but it is not set by default in all Ubuntu versions [1].

Impact

Successful exploitation allows a local attacker to read arbitrary files on the system with the permissions of the user running the crashing OpenJDK 8 process (typically the victim user). This can lead to disclosure of sensitive information such as private keys, passwords, or system configuration files. The attacker does not gain code execution or elevated privileges directly but can exfiltrate confidential data to other local users.

Mitigation

Ubuntu released a fix for apport (version 2.20.11-0ubuntu82.5 for focal, and similar updates for other releases) that addresses the symlink-following behavior in read_file(). Users should update the apport package immediately. As a workaround, enabling fs.protected_symlinks=1 via sysctl can prevent the attack on systems where it is not already active, though this may affect system behavior. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog as of the publication date.