This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-JETTY-RHEL7.NASLRHEL 7 : jetty (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
-
jetty: Timing channel attack in util/security/Password.java (CVE-2017-9735)
-
jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)
-
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn’t match a dynamic url-pattern, and is eventually handled by the DefaultServlet’s static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
(CVE-2018-12536) -
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. (CVE-2020-27223)
-
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
(CVE-2021-28163) -
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. (CVE-2021-28164)
-
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)
-
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to
/concat?/%2557EB-INF/web.xmlcan retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. (CVE-2021-28169) -
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
(CVE-2021-34428) -
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
(CVE-2023-36479) -
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the
+character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. (CVE-2023-40167) -
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty
OpenIdAuthenticatoruses the optional nestedLoginService, and thatLoginServicedecides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by theLoginService. This impacts usages of the jetty-openid which have configured a nestedLoginServiceand where thatLoginServicewill is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. (CVE-2023-41900) -
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
(CVE-2024-22201)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory jetty. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(196483);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");
script_cve_id(
"CVE-2017-9735",
"CVE-2018-12536",
"CVE-2020-27223",
"CVE-2021-28163",
"CVE-2021-28164",
"CVE-2021-28165",
"CVE-2021-28169",
"CVE-2021-34428",
"CVE-2021-34429",
"CVE-2023-36479",
"CVE-2023-40167",
"CVE-2023-41900",
"CVE-2024-22201"
);
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_name(english:"RHEL 7 : jetty (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- jetty: Timing channel attack in util/security/Password.java (CVE-2017-9735)
- jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)
- In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an
intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the
DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException
which includes the full path to the base resource directory that the DefaultServlet and/or webapp is
using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException
message is included in the error response, revealing the full server path to the requesting system.
(CVE-2018-12536)
- In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a
request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the
server may enter a denial of service (DoS) state due to high CPU usage processing those quality values,
resulting in minutes of CPU time exhausted processing those quality values. (CVE-2020-27223)
- In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a
webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,
inadvertently serving the webapps themselves and anything else that might be in that directory.
(CVE-2021-28163)
- In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with
URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For
example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive
information regarding the implementation of a web application. (CVE-2021-28164)
- In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can
reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)
- For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the
ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For
example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application. (CVE-2021-28169)
- For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the
SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID
manager. On deployments with clustered sessions and multiple contexts this can result in a session not
being invalidated. This can result in an application used on a shared computer being left logged in.
(CVE-2021-34428)
- Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the
CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a
request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet
will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command
prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the
user contains a quotation mark followed by a space, the resulting command line will contain multiple
tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
(CVE-2023-36479)
- Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and
12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This
is more permissive than allowed by the RFC and other servers routinely reject such requests with 400
responses. There is no known exploit scenario, but it is conceivable that request smuggling could result
if jetty is used in combination with a server that does not close the connection after sending such a 400
response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no
workaround as there is no known exploit scenario. (CVE-2023-40167)
- Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15
are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested
`LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current
request will still treat the user as authenticated. The authentication is then cleared from the session
and subsequent requests will not be treated as authenticated. So a request on a previously authenticated
session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This
impacts usages of the jetty-openid which have configured a nested `LoginService` and where that
`LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and
11.0.16 have a patch for this issue. (CVE-2023-41900)
- Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP
congested will be leaked when it times out. An attacker can cause many connections to end up in this
state, and the server may run out of file descriptors, eventually causing the server to stop accepting new
connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
(CVE-2024-22201)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-34429");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-9735");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Jetty WEB-INF File Disclosure");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jetty");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jetty-eclipse");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'jetty', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'jetty'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jetty');
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28164
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34428
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34429
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22201
Related
