Bug#902774: jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2018-12536 CVE-2018-12538

Markus Koschany apo at debian.org
Sat Jun 30 19:41:05 BST 2018 

Package: jetty9
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for jetty9.

CVE-2017-7656[0]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style
| request line (i.e. method space URI space version) that declares a
| version of HTTP/0.9 was accepted and treated as a 0.9 request. If
| deployed behind an intermediary that also accepted and passed through
| the 0.9 version (but did not act on it), then the response sent could
| be interpreted by the intermediary as HTTP/1 headers. This could be
| used to poison the cache if the server allowed the origin client to
| generate arbitrary content in the response.

CVE-2017-7657[1]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), transfer-encoding chunks are handled poorly. The
| chunk length parsing was vulnerable to an integer overflow. Thus a
| large chunk size could be interpreted as a smaller chunk size and
| content sent as chunk body could be interpreted as a pipelined
| request. If Jetty was deployed behind an intermediary that imposed
| some authorization and that intermediary allowed arbitrarily large
| chunks to be passed on unchanged, then this flaw could be used to
| bypass the authorization imposed by the intermediary as the fake
| pipelined request would not be interpreted by the intermediary as a
| request.

CVE-2017-7658[2]:
| In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non
| HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations),
| when presented with two content-lengths headers, Jetty ignored the
| second. When presented with a content-length and a chunked encoding
| header, the content-length was ignored (as per RFC 2616). If an
| intermediary decided on the shorter length, but still passed on the
| longer body, then body content could be interpreted by Jetty as a
| pipelined request. If the intermediary was imposing authorization, the
| fake pipelined request would bypass that authorization.

CVE-2018-12536[3]:
| In Eclipse Jetty Server, all 9.x versions, on webapps deployed using
| default Error Handling, when an intentionally bad query arrives that
| doesn't match a dynamic url-pattern, and is eventually handled by the
| DefaultServlet's static file serving, the bad characters can trigger a
| java.nio.file.InvalidPathException which includes the full path to the
| base resource directory that the DefaultServlet and/or webapp is
| using. If this InvalidPathException is then handled by the default
| Error Handler, the InvalidPathException message is included in the
| error response, revealing the full server path to the requesting
| system.

CVE-2018-12538[4]:
| In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional
| Jetty provided FileSessionDataStore for persistent storage of
| HttpSession details, it is possible for a malicious user to
| access/hijack other HttpSessions and even delete unmatched
| HttpSessions present in the FileSystem's storage for the
| FileSessionDataStore.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7656
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656
[1] https://security-tracker.debian.org/tracker/CVE-2017-7657
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657
[2] https://security-tracker.debian.org/tracker/CVE-2017-7658
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
[3] https://security-tracker.debian.org/tracker/CVE-2018-12536
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
[4] https://security-tracker.debian.org/tracker/CVE-2018-12538
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538

Please adjust the affected versions in the BTS as needed.

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20180630/a22b8330/attachment.sig>

More information about the pkg-java-maintainers mailing list