CVE-2022-1271 is a new vulnerability affecting gzip, a widely used open source component for archiving, compressing and decompressing files.
CVE-2022-1271, also tracked in the Black Duck Knowledge Base™ as BDSA-2022-0958, is a bug in gzip, a file format and software application used to archive, compress, and decompress files. Although a vulnerability in gzip has the potential to be cataclysmic, this vulnerability is actually in zgrep, a command used to search for a string in a gzip archive.
Using filenames with newlines can break zgrep, which could allow an attacker to overwrite arbitrary files. When GNU sed is also installed, the attacker can get the ability to execute code. Most applications won’t have gzip bundled in this way, but they could make a runtime call to a command line to invoke zgrep. In such a case, if the application uses unsanitized user input for the filename, the vulnerability could be exposed.
Container images used for cloud deployments will almost certainly have gzip. However, if you do not use the zgrep command, you will not be affected by this vulnerability.
Remediation efforts for CVE-2022-1271
Analysis of software composition (SCA) are designed exactly for this kind of situation. An SCA tool analyzes application source code and container images and compiles a catalog of open source software components, known as Materials Bill of Materials software (SBOM). When new vulnerabilities are discovered, such as CVE-2022-1271, a good SCA tool will proactively notify you so you can fix the problem immediately.
If your application uses zgrep and an attacker could supply filenames with newlines, you should update gzip to the latest version as soon as possible, which is 1.12.
Discover our video on CVE-2022-1271, which includes a demo.