java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

  • Done
  • quality assurance status badge
Details
2 participants
  • Julien Lepiller
  • Léo Le Bouter
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal

Debbugs page

L
L
Léo Le Bouter wrote on 2 Apr 2021 03:37
(address . bug-guix@gnu.org)
0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net
CVE-2021-28165 01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164 01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163 01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvN
EKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5U
ziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ
0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClX
EFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG
573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1
WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30
L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdx
aZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2
Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJ
c8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoC
ENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk=
=qIqk
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 03:38
(address . control@debbugs.gnu.org)
80f09be2c4e04dd5b685fca546d6de5c3caaad4e.camel@zaclys.net
tags 47562 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm9CUACgkQRaix6GvN
EKaPZg//QJ6IflV0WWhPrCLPbRvFuKe8Z4gBkdelS5B0aW9N5TfIB6NoGa+CpMu1
lvrlTgFTQFooGUm2r7sZono52NSSXbG0cdMQM8SSN1ht26z4GhbH/wzsNjQWXuQs
U4AtcTOKp6Y+6RQl3JuGyRz/iIZN8A1NyRerDnz0OJCCdRsJby2HwmK5Hg4ebM4s
pKylWztXgU1AoOa5qT7VIf5u+1HHda02BeapZfDWVmojjz0sZX1Eu5lcbCZwZaG2
aVFwvPxUIOS0FpIdoA0X2qNnBrK4zHKaegkBKk6CQ0OkPUZ7IxjZwKjHrPl8PHRx
Jcvis6YodowTXrLQWIJZJWanNMI8hcodVKbFJLBwLib4eIXQLxp5LkJ/Hi7SEX0h
bZ8O+wFSbAJG2djwOmthvombLZ9QN+4lqdKBJfdKv2C2UW8CjlRGl0FnQTl1Wo1V
MugnIublRWGgzGaz46VYG7PEnWaJG8GuCXVrEKNXv/hN7RZtkihkrYCo3IS6RAGU
/agnsXOAEWtwF/VMCfVzLvfggIvpVwtGa8GdpsL8XK655wvwiz5cVqLmLOo0qM23
RcFnuBsgacca2Wijlsr24Eb2cvRBTR4ncuoWWXE4dpXVrXh4e6oYba7CGLPdOGEu
UNAEVHZ0UQMYztIQgGkJmPBugZgvtrpVSUATkK6gZlCqbjim58g=
=NetN
-----END PGP SIGNATURE-----


J
J
Julien Lepiller wrote on 2 Apr 2021 04:18
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
20210402131805.3ade4377@tachikoma.lepiller.eu
Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

Toggle quote (22 lines)
> CVE-2021-28165 01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>
> CVE-2021-28164 01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>
> CVE-2021-28163 01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks Léo for noticing this!
J
J
Julien Lepiller wrote on 12 Apr 2021 07:41
Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
(address . 47562-done@debbugs.gnu.org)
20210412164138.6d23eed8@tachikoma.lepiller.eu
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47562@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47562
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch