Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Jetty Security Reports"
< Jetty
m |
|||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Jetty Security Reports == | == Jetty Security Reports == | ||
+ | |||
+ | {{Jetty TODO}} | ||
+ | |||
=== Resolved Issues === | === Resolved Issues === | ||
− | {| border="1" cellpadding="1" cellspacing="1" | + | {| align="top" border="1" cellpadding="1" cellspacing="1" |
|- | |- | ||
− | | scope="col" width=" | + | | scope="col" width="100" | yyyy/mm/dd |
| scope="col" width="225" | ID | | scope="col" width="225" | ID | ||
| scope="col" width="70" | Exploitable | | scope="col" width="70" | Exploitable | ||
| scope="col" width="70" | Severity | | scope="col" width="70" | Severity | ||
− | | scope="col" width=" | + | | scope="col" width="170" | Affects |
| scope="col" width="200" | Fixed Version | | scope="col" width="200" | Fixed Version | ||
− | | scope="col" width=" | + | | scope="col" width="250" | Comment |
|- | |- | ||
− | | 12/29 | + | | 2011/12/29 |
| | | | ||
− | + | [http://www.ocert.org/advisories/ocert-2011-003.html CERT2011-003] | |
− | [http://www.ocert.org/advisories/ocert-2011-003.html | + | |
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461] | [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461] | ||
− | |||
− | |||
| high | | high | ||
| high | | high | ||
| All versions | | All versions | ||
| 7.6.0.RC0 | | 7.6.0.RC0 | ||
+ | |||
+ | [https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638 Jetty-367638] | ||
| Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | ||
|- | |- | ||
− | | | + | | 2009/11/05 |
| | | | ||
− | [http://www.kb.cert.org/vuls/id/120541 | + | [http://www.kb.cert.org/vuls/id/120541 CERT120541] |
− | + | ||
− | + | ||
+ | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CVE-2009-3555] | ||
| medium | | medium | ||
| high | | high | ||
| JVM<1.6u19 | | JVM<1.6u19 | ||
| jetty-7.01.v20091125,<br>jetty-6.1.22 | | jetty-7.01.v20091125,<br>jetty-6.1.22 | ||
− | | | + | | Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19<br><br>setAllowRenegotiate(true) may be called on connectors |
|- | |- | ||
− | | | + | | 2009/06/18 |
| [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042] | | [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042] | ||
| low | | low | ||
| high | | high | ||
− | | <=6.1.18, <=7.0.0.M4 | + | | <=6.1.18, <br><=7.0.0.M4 |
− | | 6.1.19, 7.0.0.Rc0 | + | | 6.1.19, <br>7.0.0.Rc0 |
| cookie leak between requests sharing a connection | | cookie leak between requests sharing a connection | ||
|- | |- | ||
− | | | + | | 2009/04/30 |
| [http://www.kb.cert.org/vuls/id/402580 CERT402580] | | [http://www.kb.cert.org/vuls/id/402580 CERT402580] | ||
| medium<span class="Apple-tab-span" style="white-space:pre"> </span> | | medium<span class="Apple-tab-span" style="white-space:pre"> </span> | ||
| high | | high | ||
| <=6.1.16,<br><=7.0.0.M2 | | <=6.1.16,<br><=7.0.0.M2 | ||
− | | 5.1.15,6.1.18,7.0.0.M2<br> | + | | 5.1.15,6.1.18,7.0.0.M2<br>[http://jira.codehaus.org/browse/JETTY-1004 JETTY-1004] |
| view arbitrary disk content in some specific configurations | | view arbitrary disk content in some specific configurations | ||
|- | |- | ||
− | | 12/22 | + | | 2007/12/22 |
− | | [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE 2007-6672 | + | | [http://www.kb.cert.org/vuls/id/553235 CERT553235] <br>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE-2007-6672] |
| high | | high | ||
| medium | | medium | ||
Line 65: | Line 67: | ||
| Static content visible in WEB-INF and past security constraints | | Static content visible in WEB-INF and past security constraints | ||
|- | |- | ||
− | | 11/ | + | | 2007/11/05 |
| | | | ||
+ | [http://www.kb.cert.org/vuls/id/438616 CERT438616] | ||
+ | |||
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | ||
− | |||
− | |||
− | |||
| low | | low | ||
| low | | low | ||
Line 77: | Line 78: | ||
| Single quote in cookie name | | Single quote in cookie name | ||
|- | |- | ||
− | | 11/ | + | | 2007/11/05 |
| | | | ||
− | + | [http://www.kb.cert.org/vuls/id/237888 CERT237888] | |
− | + | ||
− | [http://www.kb.cert.org/vuls/id/237888 | + | |
+ | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613] | ||
| low | | low | ||
| low | | low | ||
Line 89: | Line 89: | ||
| XSS in demo dump servlet | | XSS in demo dump servlet | ||
|- | |- | ||
− | | | + | | 2007/11/03 |
| | | | ||
+ | [http://www.kb.cert.org/vuls/id/212984 CERT212984] | ||
+ | |||
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | ||
− | |||
− | |||
− | |||
| medium | | medium | ||
| medium | | medium | ||
Line 101: | Line 100: | ||
| CRLF Response splitting | | CRLF Response splitting | ||
|- | |- | ||
− | | 11/22 | + | | 2006/11/22 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969] | ||
| low | | low | ||
Line 109: | Line 108: | ||
| Session ID predictability | | Session ID predictability | ||
|- | |- | ||
− | | | + | | 2006/06/01 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759] | ||
| medium | | medium | ||
Line 117: | Line 116: | ||
| JSP source visibility | | JSP source visibility | ||
|- | |- | ||
− | | | + | | 2006/01/05 |
| | | | ||
| medium | | medium | ||
Line 125: | Line 124: | ||
| Fixed // security constraint bypass on windows | | Fixed // security constraint bypass on windows | ||
|- | |- | ||
− | | 11/18 | + | | 2005/11/18 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758] | ||
| medium | | medium | ||
Line 133: | Line 132: | ||
| JSP source visibility | | JSP source visibility | ||
|- | |- | ||
− | | | + | | 2004/02/04 |
| JSSE 1.0.3_01 | | JSSE 1.0.3_01 | ||
| medium | | medium | ||
Line 141: | Line 140: | ||
| Upgraded JSSE to obtain downstream security fix | | Upgraded JSSE to obtain downstream security fix | ||
|- | |- | ||
− | | | + | | 2002/09/22 |
| | | | ||
| high | | high | ||
Line 149: | Line 148: | ||
| Fixed CGI servlet remove exploit | | Fixed CGI servlet remove exploit | ||
|- | |- | ||
− | | | + | | 2002/03/12 |
| | | | ||
| medium | | medium | ||
Line 157: | Line 156: | ||
| Fixed // security constraint bypass | | Fixed // security constraint bypass | ||
|- | |- | ||
− | | 10/21 | + | | 2001/10/21 |
| | | | ||
| medium | | medium | ||
Line 172: | Line 171: | ||
=== Known Jetty 5 Issues === | === Known Jetty 5 Issues === | ||
− | {| border="1" cellpadding="1" cellspacing="1" | + | {| align="top" border="1" cellpadding="1" cellspacing="1" |
|- | |- | ||
| scope="col" width="45" | ID | | scope="col" width="45" | ID | ||
Line 178: | Line 177: | ||
|- | |- | ||
| | | | ||
− | [http://www.kb.cert.org/vuls/id/ | + | [http://www.kb.cert.org/vuls/id/237888 CERT 237888] |
− | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 | + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613] |
| The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | | The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | ||
|- | |- | ||
| | | | ||
− | [http://www.kb.cert.org/vuls/id/438616 CERT438616] [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | + | [http://www.kb.cert.org/vuls/id/438616 CERT438616] |
+ | |||
+ | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | ||
| HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | | HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | ||
|- | |- | ||
| | | | ||
− | [http://www.kb.cert.org/vuls/id/212984 | + | [http://www.kb.cert.org/vuls/id/212984 CERT212984] |
+ | |||
+ | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | ||
| The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | | The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | ||
|} | |} |
Latest revision as of 19:08, 24 July 2013
Contents
Jetty Security Reports
Resolved Issues
yyyy/mm/dd | ID | Exploitable | Severity | Affects | Fixed Version | Comment |
2011/12/29 | high | high | All versions | 7.6.0.RC0 | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | |
2009/11/05 | medium | high | JVM<1.6u19 | jetty-7.01.v20091125, jetty-6.1.22 |
Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors | |
2009/06/18 | JETTY-1042 | low | high | <=6.1.18, <=7.0.0.M4 |
6.1.19, 7.0.0.Rc0 |
cookie leak between requests sharing a connection |
2009/04/30 | CERT402580 | medium | high | <=6.1.16, <=7.0.0.M2 |
5.1.15,6.1.18,7.0.0.M2 JETTY-1004 |
view arbitrary disk content in some specific configurations |
2007/12/22 | CERT553235 CVE-2007-6672 |
high | medium | 6.1.rrc0-6.1.6 |
6.1.7 |
Static content visible in WEB-INF and past security constraints |
2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
Single quote in cookie name | |
2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
XSS in demo dump servlet | |
2007/11/03 | medium | medium | < 6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) |
CRLF Response splitting | |
2006/11/22 | CVE-2006-6969 | low | high | <6.1.0,<6.0.2, <5.1.12,<4.2.27 |
6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 | Session ID predictability |
2006/06/01 | CVE-2006-2759 | medium | medium | 6.0.*<6.0.0Beta17 | 6.0.0Beta17 | JSP source visibility |
2006/01/05 | medium | medium | <5.1.10 | 5.1.10 | Fixed // security constraint bypass on windows | |
2005/11/18 | CVE-2006-2758 | medium | medium | <5.1.6 | 5.1.6, 6.0.0Beta4 | JSP source visibility |
2004/02/04 | JSSE 1.0.3_01 | medium | medium | <4.2.7 | 4.2.7 | Upgraded JSSE to obtain downstream security fix |
2002/09/22 | high | high | <4.1.0 | 4.1.0 | Fixed CGI servlet remove exploit | |
2002/03/12 | medium | |
<3.1.7 | 4.0.RC2, 3.1.7 | Fixed // security constraint bypass | |
2001/10/21 | medium | <3.1.3 | 3.1.3 | Fixed trailing null security constraint bypass |
Known Jetty 6 Issues
none
Known Jetty 5 Issues
ID | Explanation |
The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | |
HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | |
The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. |