Hello, The Eclipse Jetty team wanted to make the community aware of three recent CVEs that were discovered in the Jetty project. All three have been patched in the most recent releases of Jetty. Details concerning each CVE, as well as workarounds, are below.
*CVE-2021-28165 - Invalid Large TLS Frame causes 100% Usage* *Affected Jetty Versions* 7.2.2-9.4.38, 10.0.0.alpha0-10.0.1, 11.0.0.alpha0-11.0.1 *Impact* When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. *Patched Jetty Versions* 9.4.39, 10.0.2, 11.0.2 *Workarounds* Please see the Security Advisory <https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w> for the workaround to this issue. *CVE ID* CVE-2021-28165 *CWE* CWE-400 *CVSS Score* 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H *CVE-2021-28164 - Ambiguous paths can access WEB-INF* *Affected Jetty Versions* 9.4.37 - 9.4.38 *Impact* Since 9.4.37, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example, a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. *Patched Jetty Versions* 9.4.39 *Workarounds* The HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating start.d/http.ini to include: jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS *CVE ID* CVE-2021-28164 *CWEs* CWE-200, CWE-551 *CVSS Score* 5.3 Moderate CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N *CVE-2021-28163 - Symlink Directory Exposes Webapp Directory Contents* *Affected Jetty Versions* 9.4.32-9.4.38, 10.0.0.beta2-10.0.1, 11.0.0.beta2-11.0.1 *Impact* If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. For example, the problem manifests in the following ${jetty.base}: # The webapps directory is a symlink $ tree jetty-base/ jetty-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy # The jetty-base directory is a symlink $ /var/www/jetty -> /srv/jetty-base/ /srv/jetty-base/ ├── etc ├── lib ├── resources ├── start.d └── webapps └── async-rest.war *Patched Jetty Versions* 9.4.39, 10.0.2, 11.0.2 *Workarounds* Do not use a symlink for the webapps directory. *CVE ID* CVE-2021-28163 *CWE* CWE-200 *CVSS Score* 2.7 Low CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Commercial production and development support for Jetty is offered through Webtide (www.webtide.com). Please contact us <https://webtide.com/contact/> for more information or email [email protected] to discuss your specific needs. Best Regards, The Jetty Development Team
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
