Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform. The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed. Only resources within the webapp are vulnerable.
The issue was fixed in release jetty-9.3.9 <http://download.eclipse.org/jetty/>, which is available via eclipse download <http://download.eclipse.org/jetty/> or in the maven central repository <http://search.maven.org/#artifactdetails%7Corg.eclipse.jetty%7Cjetty-distribution%7C9.3.9.v20160517%7Cpom>. A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character. http://www.ocert.org/advisories/ocert-2016-001.html This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names. Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability. Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is good security practise is to install a deny constraint on all URIs and then selectively allow specific URIs. The CVE is not yet visible in the NVD database <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4800>. The Jetty team would like to acknowledge the assistance of ocert <http://www.ocert.org/advisories/ocert-2016-001.html> in finding and handling this issue. -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
