Payara Micro File Read (CVE-2021-41381)
Description
Payara Micro versions prior to the patched release contain a path traversal vulnerability (CVE-2021-41381) that allows remote attackers to bypass directory restrictions and read arbitrary files contained within deployed web application archives (.war files). This occurs due to insufficient validation of user-supplied input in file path handling, enabling attackers to use directory traversal sequences (such as '../') to access files outside the intended directory structure.
Remediation
Immediately upgrade Payara Micro to version 5.2021.7 or later, which addresses CVE-2021-41381. Follow these steps:
1. Identify all instances of Payara Micro in your environment and verify their current versions
2. Download the latest patched version from the official Payara downloads page
3. Test the upgrade in a non-production environment to ensure application compatibility
4. Deploy the updated version to production systems following your change management procedures
5. Verify the patch by checking the version number and testing that path traversal attempts are properly blocked
As a temporary mitigation if immediate patching is not possible, implement strict input validation and sanitization for all file path parameters, and consider deploying a web application firewall (WAF) with rules to detect and block path traversal attempts.