apport read_file() function could follow maliciously constructed symbolic links

Vulnerability

CVE-2021-32551 is a vulnerability in the read_file() function inside apport/hookutils.py. When called by the openjdk-15 package apport hooks, this function follows symbolic links and opens FIFO special files without validation. The exploitable code path is in the add_info() routine of source_openjdk-*.py hooks, which constructs a path from the user-controlled ProcCwd report field and the process PID; it does not sanitize or check that the resulting path is a regular file. The issue affects versions of apport and the openjdk- hooks as shipped in Ubuntu (the bug report references openjdk-14-lts; openjdk-15 is similarly affected). On default Ubuntu installations only the openjdk hook is directly exploitable; other hooks that rely on read_file() are mitigated by the fs.protected_symlinks sysctl setting [1].

Exploitation

A local attacker with the ability to create symbolic links or FIFOs on the filesystem (e.g., in a world-writable directory) can craft a file path that, when interpreted by the add_info() function, resolves to a sensitive file the attacker should not be able to read. The attacker must first trigger a crash in a Java process (e.g., openjdk-15), which causes Apport to collect a crash report. When Apport runs, it reads the attacker-controlled ProcCwd and PID values, constructs a path like /tmp/attacker_symlink/hs_err_pid1234.log, and calls read_file() on it. Because read_file() follows symlinks, the content of an arbitrary file (e.g., /etc/shadow or another user's private data) is captured into the report. The attacker can then retrieve the report if they have read access to the crash report directory (typical on local multi-user systems) [1].

Impact

Successful exploitation allows a local unprivileged attacker to read arbitrary files on the system, including sensitive private data of other users (e.g., SSH private keys, shadow entries, confidential documents). The impact is limited to information disclosure; the attacker does not obtain write or execute capabilities. The compromise occurs at the privilege level of the Apport crash-handling daemon (typically whoopsie or root), but the disclosed data is returned to the attacker through the available crash report [1].

Mitigation

Ubuntu released updates for the apport package that fix the vulnerability by adding checks against symlinks and FIFOs in read_file(), and by sanitizing the path construction in the openjdk hooks. Users should install the patched version (apport 2.20.11-0ubuntu82.1 or later, as referenced in the launchpad bug [1]) and restart the Apport service. The bug report also notes that the fs.protected_symlinks sysctl provides a partial defense, but this is not a complete mitigation for the openjdk hook path; the full software fix is required [1].