Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Jetty Security Reports"
< Jetty
m |
|||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Jetty Security Reports == | == Jetty Security Reports == | ||
| + | |||
| + | {{Jetty TODO}} | ||
| + | |||
=== Resolved Issues === | === Resolved Issues === | ||
| − | {| border="1" cellpadding="1" cellspacing="1" | + | {| align="top" border="1" cellpadding="1" cellspacing="1" |
|- | |- | ||
| − | | scope="col" width=" | + | | scope="col" width="100" | yyyy/mm/dd |
| scope="col" width="225" | ID | | scope="col" width="225" | ID | ||
| scope="col" width="70" | Exploitable | | scope="col" width="70" | Exploitable | ||
| scope="col" width="70" | Severity | | scope="col" width="70" | Severity | ||
| − | | scope="col" width=" | + | | scope="col" width="170" | Affects |
| scope="col" width="200" | Fixed Version | | scope="col" width="200" | Fixed Version | ||
| − | | scope="col" width=" | + | | scope="col" width="250" | Comment |
|- | |- | ||
| − | | 12/29 | + | | 2011/12/29 |
| | | | ||
| − | + | [http://www.ocert.org/advisories/ocert-2011-003.html CERT2011-003] | |
| − | [http://www.ocert.org/advisories/ocert-2011-003.html | + | |
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461] | [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461] | ||
| − | |||
| − | |||
| high | | high | ||
| high | | high | ||
| All versions | | All versions | ||
| 7.6.0.RC0 | | 7.6.0.RC0 | ||
| + | |||
| + | [https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638 Jetty-367638] | ||
| Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | ||
|- | |- | ||
| − | | | + | | 2009/11/05 |
| | | | ||
| − | [http://www.kb.cert.org/vuls/id/120541 | + | [http://www.kb.cert.org/vuls/id/120541 CERT120541] |
| − | + | ||
| − | + | ||
| + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CVE-2009-3555] | ||
| medium | | medium | ||
| high | | high | ||
| JVM<1.6u19 | | JVM<1.6u19 | ||
| jetty-7.01.v20091125,<br>jetty-6.1.22 | | jetty-7.01.v20091125,<br>jetty-6.1.22 | ||
| − | | | + | | Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19<br><br>setAllowRenegotiate(true) may be called on connectors |
|- | |- | ||
| − | | | + | | 2009/06/18 |
| [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042] | | [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042] | ||
| low | | low | ||
| high | | high | ||
| − | | <=6.1.18, <=7.0.0.M4 | + | | <=6.1.18, <br><=7.0.0.M4 |
| − | | 6.1.19, 7.0.0.Rc0 | + | | 6.1.19, <br>7.0.0.Rc0 |
| cookie leak between requests sharing a connection | | cookie leak between requests sharing a connection | ||
|- | |- | ||
| − | | | + | | 2009/04/30 |
| [http://www.kb.cert.org/vuls/id/402580 CERT402580] | | [http://www.kb.cert.org/vuls/id/402580 CERT402580] | ||
| medium<span class="Apple-tab-span" style="white-space:pre"> </span> | | medium<span class="Apple-tab-span" style="white-space:pre"> </span> | ||
| high | | high | ||
| <=6.1.16,<br><=7.0.0.M2 | | <=6.1.16,<br><=7.0.0.M2 | ||
| − | | 5.1.15,6.1.18,7.0.0.M2<br> | + | | 5.1.15,6.1.18,7.0.0.M2<br>[http://jira.codehaus.org/browse/JETTY-1004 JETTY-1004] |
| view arbitrary disk content in some specific configurations | | view arbitrary disk content in some specific configurations | ||
|- | |- | ||
| − | | 12/22 | + | | 2007/12/22 |
| − | | [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE 2007-6672 | + | | [http://www.kb.cert.org/vuls/id/553235 CERT553235] <br>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE-2007-6672] |
| high | | high | ||
| medium | | medium | ||
| Line 65: | Line 67: | ||
| Static content visible in WEB-INF and past security constraints | | Static content visible in WEB-INF and past security constraints | ||
|- | |- | ||
| − | | 11/ | + | | 2007/11/05 |
| | | | ||
| + | [http://www.kb.cert.org/vuls/id/438616 CERT438616] | ||
| + | |||
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | ||
| − | |||
| − | |||
| − | |||
| low | | low | ||
| low | | low | ||
| Line 77: | Line 78: | ||
| Single quote in cookie name | | Single quote in cookie name | ||
|- | |- | ||
| − | | 11/ | + | | 2007/11/05 |
| | | | ||
| − | + | [http://www.kb.cert.org/vuls/id/237888 CERT237888] | |
| − | + | ||
| − | [http://www.kb.cert.org/vuls/id/237888 | + | |
| + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613] | ||
| low | | low | ||
| low | | low | ||
| Line 89: | Line 89: | ||
| XSS in demo dump servlet | | XSS in demo dump servlet | ||
|- | |- | ||
| − | | | + | | 2007/11/03 |
| | | | ||
| + | [http://www.kb.cert.org/vuls/id/212984 CERT212984] | ||
| + | |||
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | ||
| − | |||
| − | |||
| − | |||
| medium | | medium | ||
| medium | | medium | ||
| Line 101: | Line 100: | ||
| CRLF Response splitting | | CRLF Response splitting | ||
|- | |- | ||
| − | | 11/22 | + | | 2006/11/22 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969] | ||
| low | | low | ||
| Line 109: | Line 108: | ||
| Session ID predictability | | Session ID predictability | ||
|- | |- | ||
| − | | | + | | 2006/06/01 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759] | ||
| medium | | medium | ||
| Line 117: | Line 116: | ||
| JSP source visibility | | JSP source visibility | ||
|- | |- | ||
| − | | | + | | 2006/01/05 |
| | | | ||
| medium | | medium | ||
| Line 125: | Line 124: | ||
| Fixed // security constraint bypass on windows | | Fixed // security constraint bypass on windows | ||
|- | |- | ||
| − | | 11/18 | + | | 2005/11/18 |
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758] | | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758] | ||
| medium | | medium | ||
| Line 133: | Line 132: | ||
| JSP source visibility | | JSP source visibility | ||
|- | |- | ||
| − | | | + | | 2004/02/04 |
| JSSE 1.0.3_01 | | JSSE 1.0.3_01 | ||
| medium | | medium | ||
| Line 141: | Line 140: | ||
| Upgraded JSSE to obtain downstream security fix | | Upgraded JSSE to obtain downstream security fix | ||
|- | |- | ||
| − | | | + | | 2002/09/22 |
| | | | ||
| high | | high | ||
| Line 149: | Line 148: | ||
| Fixed CGI servlet remove exploit | | Fixed CGI servlet remove exploit | ||
|- | |- | ||
| − | | | + | | 2002/03/12 |
| | | | ||
| medium | | medium | ||
| Line 157: | Line 156: | ||
| Fixed // security constraint bypass | | Fixed // security constraint bypass | ||
|- | |- | ||
| − | | 10/21 | + | | 2001/10/21 |
| | | | ||
| medium | | medium | ||
| Line 172: | Line 171: | ||
=== Known Jetty 5 Issues === | === Known Jetty 5 Issues === | ||
| − | {| border="1" cellpadding="1" cellspacing="1" | + | {| align="top" border="1" cellpadding="1" cellspacing="1" |
|- | |- | ||
| scope="col" width="45" | ID | | scope="col" width="45" | ID | ||
| Line 178: | Line 177: | ||
|- | |- | ||
| | | | ||
| − | [http://www.kb.cert.org/vuls/id/ | + | [http://www.kb.cert.org/vuls/id/237888 CERT 237888] |
| − | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 | + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613] |
| The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | | The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | ||
|- | |- | ||
| | | | ||
| − | [http://www.kb.cert.org/vuls/id/438616 CERT438616] [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | + | [http://www.kb.cert.org/vuls/id/438616 CERT438616] |
| + | |||
| + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | ||
| HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | | HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | ||
|- | |- | ||
| | | | ||
| − | [http://www.kb.cert.org/vuls/id/212984 | + | [http://www.kb.cert.org/vuls/id/212984 CERT212984] |
| + | |||
| + | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | ||
| The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | | The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | ||
|} | |} | ||
Latest revision as of 19:08, 24 July 2013
Contents
Jetty Security Reports
Some or all of this content remains to be ported to Jetty 9 Documentation.
If you are interested in migrating this content see our contribution guide or contact us.
If you are interested in migrating this content see our contribution guide or contact us.
Resolved Issues
| yyyy/mm/dd | ID | Exploitable | Severity | Affects | Fixed Version | Comment |
| 2011/12/29 | high | high | All versions | 7.6.0.RC0 | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | |
| 2009/11/05 | medium | high | JVM<1.6u19 | jetty-7.01.v20091125, jetty-6.1.22 |
Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors | |
| 2009/06/18 | JETTY-1042 | low | high | <=6.1.18, <=7.0.0.M4 |
6.1.19, 7.0.0.Rc0 |
cookie leak between requests sharing a connection |
| 2009/04/30 | CERT402580 | medium | high | <=6.1.16, <=7.0.0.M2 |
5.1.15,6.1.18,7.0.0.M2 JETTY-1004 |
view arbitrary disk content in some specific configurations |
| 2007/12/22 | CERT553235 CVE-2007-6672 |
high | medium | 6.1.rrc0-6.1.6 |
6.1.7 |
Static content visible in WEB-INF and past security constraints |
| 2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
Single quote in cookie name | |
| 2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
XSS in demo dump servlet | |
| 2007/11/03 | medium | medium | < 6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) |
CRLF Response splitting | |
| 2006/11/22 | CVE-2006-6969 | low | high | <6.1.0,<6.0.2, <5.1.12,<4.2.27 |
6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 | Session ID predictability |
| 2006/06/01 | CVE-2006-2759 | medium | medium | 6.0.*<6.0.0Beta17 | 6.0.0Beta17 | JSP source visibility |
| 2006/01/05 | medium | medium | <5.1.10 | 5.1.10 | Fixed // security constraint bypass on windows | |
| 2005/11/18 | CVE-2006-2758 | medium | medium | <5.1.6 | 5.1.6, 6.0.0Beta4 | JSP source visibility |
| 2004/02/04 | JSSE 1.0.3_01 | medium | medium | <4.2.7 | 4.2.7 | Upgraded JSSE to obtain downstream security fix |
| 2002/09/22 | high | high | <4.1.0 | 4.1.0 | Fixed CGI servlet remove exploit | |
| 2002/03/12 | medium | |
<3.1.7 | 4.0.RC2, 3.1.7 | Fixed // security constraint bypass | |
| 2001/10/21 | medium | <3.1.3 | 3.1.3 | Fixed trailing null security constraint bypass |
Known Jetty 6 Issues
none
Known Jetty 5 Issues
| ID | Explanation |
| The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | |
| HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | |
| The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. |