Before you go changing things, start with just using
Server.setDumpAfterStart(true); or use WebAppContext.dump() to see what's
the truth about your app.
If you have a DefaultServlet present on your WebAppContext, then you'll
want to pay attention.
You can turn off Directory Listings instead of upgrading ...
If you have a WEB-INF/web.xml you can use the following snippet.
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
... (other init) ...
<load-on-startup>0</load-on-startup>
</servlet>
Or you can simply use an alternate webdefault.xml via the
WebAppContext.setDefaultsDescriptor(String
defaultsDescriptorLocation)
<https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setDefaultsDescriptor(java.lang.String)>
Just copy the existing webdefault.xml
<https://github.com/eclipse/jetty.project/blob/jetty-9.4.17.v20190418/jetty-webapp/src/main/config/etc/webdefault.xml>
and edit it to suit your needs.
The alternate Default Descriptor can also be configured via the
DeploymentManager and the WebAppProvider.setDefaultsDescriptor(String),
which will be used with all deployed WebAppContext's.
Joakim Erdfelt / [email protected]
On Mon, Apr 22, 2019 at 5:06 PM <[email protected]> wrote:
> So the answer is “no, you need to upgrade.” :)
>
> Thank you for the very quick reply.
>
>
>
>
>
>
>
> *From:* [email protected] <[email protected]> *On
> Behalf Of *Joakim Erdfelt
> *Sent:* Monday, April 22, 2019 15:04
> *To:* JETTY user mailing list <[email protected]>
> *Cc:* Jetty @ Eclipse developer discussion list <[email protected]>;
> Jetty Announce @ Eclipse <[email protected]>
> *Subject:* Re: [jetty-users] Indexing/Listing Vulnerability in Jetty
>
>
>
> DefaultServlet is added by default if using a WebAppContext.
>
> Why? well, the WebAppContext loads the webdefault.xml from system
> resources, which has the DefaultServlet present.
>
> That same webdefault.xml has `dirAllowed` set to true by default.
>
>
>
> The DefaultHandler is only present if you specifically set it up to use it.
>
> The jetty-home (and the older jetty-distribution) usages do set it up by
> default, but embedded-jetty has no such behavior.
>
>
> Joakim Erdfelt / [email protected]
>
>
>
>
>
> On Mon, Apr 22, 2019 at 4:11 PM <[email protected]> wrote:
>
> Thank you for all of your excellent work over the years.
>
> I am using a customized, embedded version of Jetty (which is an OSS
> project that I hope to publicly launch soon!) that does not use either one.
> I’m ok, right? (Although it would not be a big deal to upgrade to the
> latest Jetty, so maybe I should upgrade anyhow.)
>
> Thanks
>
> --Steve
>
>
>
> *From:* [email protected] <[email protected]> *On
> Behalf Of *Chris Walker
> *Sent:* Monday, April 22, 2019 11:32
> *To:* JETTY user mailing list <[email protected]>; Jetty @ Eclipse
> developer discussion list <[email protected]>;
> [email protected]
> *Subject:* [jetty-users] Indexing/Listing Vulnerability in Jetty
>
>
>
> Hello!
>
> Greetings from the team at Webtide. We wanted to make you aware of a
> vulnerability that was recently discovered in Jetty and reported as
> CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.
>
> If you are using *DefaultServlet* or *ResourceHandler* with
> indexing/listing, then you are vulnerable to a variant of XSS behaviors
> surrounding the use of injected HTML element attributes on the parent
> directory link. We recommend disabling indexing/listing or upgrading to a
> non-vulnerable version.
>
> We have put together a blog post that contains more information on how to
> disable indexing/listing, which can be found on the Webtide website.
>
> - https://webtide.com/indexing-listing-vulnerability/
>
> Additionally, we discovered that usages of *DefaultHandler* were
> susceptible to a similar leak of information. If no webapp was mounted on
> the root "*/"* namespace, a page would be generated with links to other
> namespaces. This has been the default behavior in Jetty for years, but we
> have removed this to safeguard data.
>
> As a result of these CVEs, we have released new versions for the 9.2.x,
> 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as
> follows, and are available both on the Jetty website and Maven Central.
>
> Versions affected:
>
> - 9.2.26 and older (now EOL)
> - 9.3.25 and older
> - 9.4.15 and older
>
> Resolved:
>
> - 9.2.28.v20190418
> - 9.3.27.v20190418
> - 9.4.17.v20190418
>
> Best Regards,
> The Webtide Team
>
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
