<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] jetty 9.4.19 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13254">13254</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] jetty 9.4.19 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2022-2047, CVE-2022-2048, CVE-2023-26048, CVE-2023-26049,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package jetty version 9.4.19
INFO (CVEs are): jetty 9.4.19 cves found
CVE-2020-27216
Desc: In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru
10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the
system's temporary directory is shared between all users on that system. A
collocated user can observe the process of creating a temporary sub directory
in the shared temporary directory and race to complete the creation of the
temporary subdirectory. If the attacker wins the race then they will have read
and write permission to the subdirectory used to unpack web applications,
including their WEB-INF/lib jar files and JSP files. If any code is ever
executed out of this temporary directory, this can lead to a local privilege
escalation vulnerability.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27216">https://nvd.nist.gov/vuln/detail/CVE-2020-27216</a>
Severity: HIGH
CVE-2020-27218
Desc: In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to
10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation
is enabled and requests from different clients are multiplexed onto a single
connection, and if an attacker can send a request with a body that is received
entirely but not consumed by the application, then a subsequent request on the
same connection will see that body prepended to its body. The attacker will not
see any data but may inject data into the body of the subsequent request.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218">https://nvd.nist.gov/vuln/detail/CVE-2020-27218</a>
Severity: MEDIUM
CVE-2020-27223
Desc: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0,
and 11.0.0 when Jetty handles a request containing multiple Accept headers with
a large number of “quality” (i.e. q) parameters, the server may enter a denial
of service (DoS) state due to high CPU usage processing those quality values,
resulting in minutes of CPU time exhausted processing those quality values.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223">https://nvd.nist.gov/vuln/detail/CVE-2020-27223</a>
Severity: MEDIUM
CVE-2021-28165
Desc: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large
invalid TLS frame.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-28165">https://nvd.nist.gov/vuln/detail/CVE-2021-28165</a>
Severity: HIGH
CVE-2021-28169
Desc: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is
possible for requests to the ConcatServlet with a doubly encoded path to access
protected resources within the WEB-INF directory. For example a request to
`/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-28169">https://nvd.nist.gov/vuln/detail/CVE-2021-28169</a>
Severity: MEDIUM
CVE-2022-2047
Desc: In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and
11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http
scheme URI, the Jetty HttpURI class improperly detects an invalid input as a
hostname. This can lead to failures in a Proxy scenario.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-2047">https://nvd.nist.gov/vuln/detail/CVE-2022-2047</a>
Severity: LOW
CVE-2022-2048
Desc: In Eclipse Jetty HTTP/2 server implementation, when encountering an
invalid HTTP/2 request, the error handling has a bug that can wind up not
properly cleaning up the active connections and associated resources. This can
lead to a Denial of Service scenario where there are no enough resources left
to process good requests.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-2048">https://nvd.nist.gov/vuln/detail/CVE-2022-2048</a>
Severity: HIGH
CVE-2023-26048
Desc: Jetty is a java based web server and servlet engine. In affected versions
servlets with multipart support (e.g. annotated with `@MultipartConfig`) that
call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may
cause `OutOfMemoryError` when the client sends a multipart request with a part
that has a name but no filename and very large content. This happens even with
the default settings of `fileSizeThreshold=0` which should stream the whole
part content to disk. An attacker client may send a large multipart request and
cause the server to throw `OutOfMemoryError`. However, the server may be able
to recover after the `OutOfMemoryError` and continue its service -- although it
may take some time. This issue has been patched in versions 9.4.51, 10.0.14,
and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the
multipart parameter `maxRequestSize` which must be set to a non-negative value,
so the whole multipart content is limited (although still read into memory).
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-26048">https://nvd.nist.gov/vuln/detail/CVE-2023-26048</a>
Severity: MEDIUM
CVE-2023-26049
Desc: Jetty is a java based web server and servlet engine. Nonstandard cookie
parsing in Jetty may allow an attacker to smuggle cookies within other cookies,
or otherwise perform unintended behavior by tampering with the cookie parsing
mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it
will continue to read the cookie string until it sees a closing quote -- even
if a semicolon is encountered. So, a cookie header such as:
`DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with
the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3
separate cookies. This has security implications because if, say, JSESSIONID is
an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the
page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE
cookie and thereby exfiltrate it. This is significant when an intermediary is
enacting some policy based on cookies, so a smuggled cookie can bypass that
policy yet still be seen by the Jetty server or its logging system. This issue
has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and
users are advised to upgrade. There are no known workarounds for this issue.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-26049">https://nvd.nist.gov/vuln/detail/CVE-2023-26049</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>