[
https://issues.apache.org/jira/browse/QPID-8502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17271020#comment-17271020
]
Alex Rudyy commented on QPID-8502:
----------------------------------
It seems that jetty servlet engine used in Apache Qpid Broker-J can be affected
by the [CVE-2020-27218|https://nvd.nist.gov/vuln/detail/CVE-2020-27218].
As per CVE description
{quote}
if GZIP request body inflation is enabled and requests from different clients
are multiplexed onto a single connection, and if an attacker can send a request
with a body that is received entirely but not consumed by the application, then
a subsequent request on the same connection will see that body prepended to its
body. The attacker will not see any data but may inject data into the body of
the subsequent request.
{quote}
Qpid Broker-J validates every POST/PUT/DELETE request. If somehow the attacker
prepend some data to the request body, it is expected that validation would
catch that and report validation errors. Thus, it is unlikely that this
vulnerability can be exploited with Qpid Broker-J. Anyway, lets upgrade jetty
to version 9.4.35.v20201120
> Upgrade jetty component version
> -------------------------------
>
> Key: QPID-8502
> URL: https://issues.apache.org/jira/browse/QPID-8502
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3, qpid-java-broker-7.1.11
> Reporter: Dedeepya
> Priority: Major
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.eclipse.jetty:jetty-server| 9.4.31.v20200723|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
