[jetty-dev] Recent CVEs in Eclipse Jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Recent CVEs in Eclipse Jetty

From: Chris Walker <chris@xxxxxxxxxxx>
Date: Thu, 1 Apr 2021 09:31:29 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Hello,

The Eclipse Jetty team wanted to make the community aware of three recent CVEs that were discovered in the Jetty project. All three have been patched in the most recent releases of Jetty. Details concerning each CVE, as well as workarounds, are below.

CVE-2021-28165 - Invalid Large TLS Frame causes 100% Usage

Affected Jetty Versions
7.2.2-9.4.38, 10.0.0.alpha0-10.0.1, 11.0.0.alpha0-11.0.1

Impact
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.

Patched Jetty Versions
9.4.39, 10.0.2, 11.0.2

Workarounds
Please see the Security Advisory for the workaround to this issue.

CVE ID
CVE-2021-28165

CWE
CWE-400

CVSS Score
7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2021-28164 - Ambiguous paths can access WEB-INF

Affected Jetty Versions
9.4.37 - 9.4.38

Impact
Since 9.4.37, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example, a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Patched Jetty Versions
9.4.39

Workarounds
The HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating start.d/http.ini to include:

jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS

CVE ID
CVE-2021-28164

CWEs
CWE-200, CWE-551

CVSS Score
5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2021-28163 - Symlink Directory Exposes Webapp Directory Contents

Affected Jetty Versions
9.4.32-9.4.38, 10.0.0.beta2-10.0.1, 11.0.0.beta2-11.0.1

Impact
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}:

# The webapps directory is a symlink
$ tree jetty-base/
jetty-base/
├── etc
├── lib
├── resources
├── start.d
├── deploy
│ └── async-rest.war
└── webapps -> deploy

# The jetty-base directory is a symlink
$ /var/www/jetty -> /srv/jetty-base/
/srv/jetty-base/
├── etc
├── lib
├── resources
├── start.d
└── webapps
└── async-rest.war

Patched Jetty Versions
9.4.39, 10.0.2, 11.0.2

Workarounds
Do not use a symlink for the webapps directory.

CVE ID
CVE-2021-28163

CWE
CWE-200

CVSS Score
2.7 Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Commercial production and development support for Jetty is offered through Webtide (www.webtide.com). Please contact us for more information or email chris@xxxxxxxxxxx to discuss your specific needs.

Best Regards,

The Jetty Development Team

Prev by Date: Re: [jetty-dev] Eclipse Jetty 9.4.38, 10.0.1, and 11.0.1 Have Been Released!
Next by Date: [jetty-dev] Eclipse Jetty 9.4.39, 10.0.2, and 11.0.2 Have Been Released!
Previous by thread: [jetty-dev] Fwd: java.net.SocketException:No buffer space available (maximum connections reached?):
Next by thread: [jetty-dev] Eclipse Jetty 9.4.39, 10.0.2, and 11.0.2 Have Been Released!
Index(es):
- Date
- Thread

Breadcrumbs