Jetty 9.3.8 Path Sanitization Vulnerability

2016.05.31
Credit: Simon Zuckerbraun
Risk: High
Local: No
Remote: Yes
CVE: CVE-2016-4800
CWE: CWE-284


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Description: Jetty is a Java HTTP (Web) server and Servlet container. The Jetty path normalization mechanism suffers of an implementation issue when parsing the request URLs. The path normalization logic implemented in the PathResource class and introduced in Jetty versions 9.3.x can be defeated by requesting malicious URLs containing specific escaped characters. Leveraging on this weakness, a malicious user can gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) and defeat application filters or other security constraints implemented in the servlet configuration. A workaround to mitigate the issue, using the 'rewrite' module, can alternatively be implemented as follows: $ java -jar ../start.jar --module=rewrite etc/backslashalias.xml or $ java -jar ../start.jar --add-to-startd=rewrite $ java -jar ../start.jar etc/backslashalias.xml Workaround file backslashalias.xml contents: <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> <Configure id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RuleContainer"> <Call name="addRule"> <Arg> <New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule"> <Arg>.*\.*</Arg> <Arg>/</Arg> <Set name="statusCode">404</Set> </New> </Arg> </Call> </Configure> Affected version: Jetty >= 9.3.0, <= 9.3.8 Fixed version: Jetty >= 9.3.9 Credit: vulnerability reported by Simon Zuckerbraun of Trend Micro Zero Day Initiative CVE: CVE-2016-4800 Timeline: 2016-05-03: vulnerability report received 2016-05-06: contacted maintainer 2016-05-11: patch provided by maintainer 2016-05-13: assigned CVE 2016-05-18: reporter confirms patch 2016-05-20: contacted affected vendors 2016-05-30: advisory release References: http://www.eclipse.org/jetty/download.html Permalink: http://www.ocert.org/advisories/ocert-2016-001.html -- Daniele Bianco Open Source Computer Security Incident Response Team <danbia@ocert.org> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497

References:

http://www.eclipse.org/jetty/download.html
http://www.ocert.org/advisories/ocert-2016-001.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top