Bug 29034 - jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89], CVE-2022-204[78]
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[...
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks: 27649
  Show dependency treegraph
 
Reported: 2021-05-30 00:18 CEST by David Walser
Modified: 2024-03-15 18:31 CET (History)
7 users (show)

See Also:
Source RPM: jetty-9.4.35-1.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 9.4.47

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-30 00:18:57 CEST 
Fedora has issued an advisory on April 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/

The only CVE explicitly listed is CVE-2021-28163, fixed in 9.4.39.

There are more, here are the upstream advisories:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

CVE-2021-2816[34] only affect Mageia 8.  The others also affect Mageia 7.
David Walser 2021-05-30 00:19:16 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 9.4.39
Blocks: (none) => 27649

Comment 1 David Walser 2021-06-21 19:11:08 CEST 
Debian-LTS has issued an advisory on June 17:
https://www.debian.org/lts/security/2021/dla-2688

The issue is fixed upstream in 9.4.41:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq

Mageia 7 and Mageia 8 are also affected.

Version: 8 => Cauldron
Status comment: Fixed upstream in 9.4.39 => Fixed upstream in 9.4.41
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9]
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 2 David Walser 2021-06-21 19:36:58 CEST 
SUSE has issued an advisory for this on June 17:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009033.html

They updated to 9.4.42.
Comment 3 David Walser 2021-07-01 18:55:36 CEST 
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 4 David Walser 2021-07-12 17:35:05 CEST 
openSUSE has issued an advisory for this on July 11:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/
Comment 5 Nicolas Lécureuil 2021-07-23 18:05:53 CEST 
cauldron is fixed.

I update mga8 to version 9.4.42.

A test to do is to see if eclipse still starts with new jetty


src:
    - jetty-9.4.42-1.mga8

CC: (none) => mageia
Version: Cauldron => 8
Status comment: Fixed upstream in 9.4.41 => (none)
Whiteboard: MGA8TOO => (none)
Assignee: java => qa-bugs

Comment 6 David Walser 2021-07-23 18:29:59 CEST 
jetty-9.4.42-1.mga8
jetty-client-9.4.42-1.mga8
jetty-util-9.4.42-1.mga8
jetty-server-9.4.42-1.mga8
jetty-http-9.4.42-1.mga8
jetty-io-9.4.42-1.mga8
jetty-servlet-9.4.42-1.mga8
jetty-webapp-9.4.42-1.mga8
jetty-xml-9.4.42-1.mga8
jetty-security-9.4.42-1.mga8
jetty-util-ajax-9.4.42-1.mga8
jetty-jmx-9.4.42-1.mga8
jetty-jaas-9.4.42-1.mga8
jetty-continuation-9.4.42-1.mga8
jetty-javadoc-9.4.42-1.mga8

from jetty-9.4.42-1.mga8.src.rpm
Comment 7 Aurelien Oudelet 2021-07-23 22:33:27 CEST 
Advisory:
========================

Updated jetty packages fix security vulnerabilities:

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and
11.0.0 when Jetty handles a request containing multiple Accept headers with a
large number of “quality” (i.e. q) parameters, the server may enter
a denial of service (DoS) state due to high CPU usage processing those quality
values, resulting in minutes of CPU time exhausted processing those quality
values (CVE-2020-27223).

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory
(CVE-2021-28163).

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application (CVE-2021-28164).

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to
11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
(CVE-2021-28165).

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected
resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive
information regarding the implementation of a web application (CVE-2021-28169).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29034
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28164
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
 - https://www.debian.org/lts/security/2021/dla-2688
========================

Updated packages in core/updates_testing:
========================
jetty-9.4.42-1.mga8
jetty-client-9.4.42-1.mga8
jetty-util-9.4.42-1.mga8
jetty-server-9.4.42-1.mga8
jetty-http-9.4.42-1.mga8
jetty-io-9.4.42-1.mga8
jetty-servlet-9.4.42-1.mga8
jetty-webapp-9.4.42-1.mga8
jetty-xml-9.4.42-1.mga8
jetty-security-9.4.42-1.mga8
jetty-util-ajax-9.4.42-1.mga8
jetty-jmx-9.4.42-1.mga8
jetty-jaas-9.4.42-1.mga8
jetty-continuation-9.4.42-1.mga8
jetty-javadoc-9.4.42-1.mga8

from jetty-9.4.42-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 8 Herman Viaene 2021-07-27 15:34:46 CEST 
MGA8-64 Plasma on Lenovo B50
No apparent installation issues.
Tried to follow bug 21202 Len's tests, but ....
$ export JETTY_HOME=/usr/share/jetty
$ export JETTY_BASE=/home/tester8/Documenten/jetty/
$ java -jar $JETTY_HOME/start.jar --create-startd
Error: Unable to access jarfile /usr/share/jetty/start.jar
Checked and found no start.jar, checked MCC and package jetty shows:no files found. That doesn't seem normal to me.

CC: (none) => herman.viaene

Comment 9 Len Lawrence 2021-07-28 19:53:37 CEST 
I can confirm Herman's findings.  No /usr/share/jetty directory but there is a /usr/share/java/jetty directory without start.jar.  start.jar does not exist.
There are client and server jars however so maybe the startup process has changed.  Shall look into it.
This link was last updated about a year ago https://zetcode.com/java/jetty/introduction/ and implies that the start.jar resource file should be available as part of the tarball.  This is what should be in JETTY_HOME according to the docs:
$ ls -F
bin/        lib/                        modules/     resources/  start.jar
demo-base/  license-eplv10-aslv20.html  notice.html  start.d/    VERSION.txt
etc/        logs/                       README.TXT   start.ini   webapps/

For jetty the licences can be found here under /usr/share/licenses:
jetty-javadoc:
LICENSE  LICENSE-MIT  NOTICE.txt

jetty-util:
LICENSE  LICENSE-MIT  NOTICE.txt

Official reference documentation at https://www.eclipse.org/jetty/documentation.php.  Apparently jetty has reached version 11 but there is still documentation for version 9.  That also talks about starting things off with the start.jar file so it does seem that we should have it.  Maybe Nicolas can throw some light on this.

CC: (none) => tarazed25
Keywords: (none) => feedback

Comment 10 David Walser 2021-08-05 18:44:50 CEST 
Debian has issued an advisory for this on August 4:
https://www.debian.org/security/2021/dsa-4949

It also lists CVE-2021-34428, fixed upstream in 9.4.41, also fixed in this update:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6

Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428

Comment 11 David Walser 2021-08-26 17:56:25 CEST 
SUSE has issued an advisory on August 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html

The issue is fixed upstream in 9.4.43:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

Keywords: feedback => (none)
Whiteboard: (none) => MGA8TOO
Assignee: qa-bugs => java
Version: 8 => Cauldron
Status comment: (none) => Fixed upstream in 9.4.43
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428 => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89]

Comment 12 David Walser 2021-08-26 18:33:35 CEST 
(In reply to David Walser from comment #11)
> SUSE has issued an advisory on August 25:
> https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html
> 
> The issue is fixed upstream in 9.4.43:
> https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-
> 65vm

openSUSE has issued an advisory for this on August 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3BXMLXWW5ACU3IDNEEUVRZ3WYWHNGPZM/
Comment 13 David Walser 2021-12-04 03:44:37 CET 
Updated to 9.4.43 by Nicolas.

jetty-client-9.4.43-1.mga8
jetty-util-9.4.43-1.mga8
jetty-server-9.4.43-1.mga8
jetty-http-9.4.43-1.mga8
jetty-io-9.4.43-1.mga8
jetty-servlet-9.4.43-1.mga8
jetty-webapp-9.4.43-1.mga8
jetty-xml-9.4.43-1.mga8
jetty-security-9.4.43-1.mga8
jetty-util-ajax-9.4.43-1.mga8
jetty-jmx-9.4.43-1.mga8
jetty-jaas-9.4.43-1.mga8
jetty-continuation-9.4.43-1.mga8
jetty-9.4.43-1.mga8
jetty-javadoc-9.4.43-1.mga8

from jetty-9.4.43-1.mga8.src.rpm

Status comment: Fixed upstream in 9.4.43 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: java => qa-bugs

Comment 14 Herman Viaene 2021-12-06 11:33:10 CET 
Installed the latest 9.4.43-1, but still the same problem as  in Comment 8.
Did some checks:
package jetty is empty
in the other packkages, the path seems to be /usr/share/java/jetty i.s.o. /usr/share/jetty
there is nowhere a start.jar.
Comment 15 Len Lawrence 2021-12-06 14:33:55 CET 
@Herman:
With the pre-update jetty Eclipse does start up from the menus.  Look in Development -> Development Environments.
Comment 16 Len Lawrence 2021-12-06 22:15:29 CET 
mga8, x64

Updated all the packages and launched Eclipse from the system menus and hit Launch when the gui appeared.  Tried the various help options but did not get any response so presumably there is some prior jetty configuration required and possible a server and client running.  Anyway, it starts up cleanly.
Comment 17 Len Lawrence 2021-12-06 22:37:42 CET 
Following comment 16, discovered that java path had not been updated since Mageia 6.  Amended that to /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-0.1.mga8.x86_64/jre

$ eclipse
Gui launches to the Welcome screen and reports
"Error resolving “org.eclipse.ui.intro”: Name or service not known"
Comment 18 Len Lawrence 2021-12-06 23:14:03 CET 
As Herman discovered, there is no /usr/share/jetty.  The online documentation implies that the JETTY_HOME environment variable should already be defined and states that this value must not be changed.  That cannot be correct if it does not exist.
$ export JETTY_HOME='/usr/share/java/jetty'
$ ll $JETTY_HOME
total 2512
-rw-r--r-- 1 root root 314337 Dec  3 22:36 jetty-client.jar
-rw-r--r-- 1 root root  15390 Dec  3 22:36 jetty-continuation.jar
-rw-r--r-- 1 root root 214664 Dec  3 22:36 jetty-http.jar
-rw-r--r-- 1 root root 168897 Dec  3 22:36 jetty-io.jar
-rw-r--r-- 1 root root  37603 Dec  3 22:36 jetty-jaas.jar
-rw-r--r-- 1 root root  32358 Dec  3 22:36 jetty-jmx.jar
-rw-r--r-- 1 root root 108484 Dec  3 22:36 jetty-security.jar
-rw-r--r-- 1 root root 707230 Dec  3 22:36 jetty-server.jar
-rw-r--r-- 1 root root 135874 Dec  3 22:36 jetty-servlet.jar
-rw-r--r-- 1 root root  55246 Dec  3 22:36 jetty-util-ajax.jar
-rw-r--r-- 1 root root 565304 Dec  3 22:36 jetty-util.jar
-rw-r--r-- 1 root root 130301 Dec  3 22:36 jetty-webapp.jar
-rw-r--r-- 1 root root  58293 Dec  3 22:36 jetty-xml.jar

So maybe 'start.jar' is a coverall for any of those applications?

$ cd $JETTY_BASE
$ java -jar $JETTY_HOME/jetty-client.jar
no main manifest attribute, in /usr/share/java/jetty/jetty-client.jar
Comment 19 Len Lawrence 2021-12-06 23:16:34 CET 
Eclipse now starts up but freezes on the Welcome screen.
Comment 20 Len Lawrence 2021-12-13 10:33:45 CET 
@Nicolas, regarding the Eclipse failure:
Error resolving “org.eclipse.ui.intro”: Name or service not known
Does that mean that something is missing from the java environment on this machine?  How to diagnose this?

Keywords: (none) => feedback

Comment 21 Len Lawrence 2021-12-13 10:41:04 CET 
Further to comment 20:
$ locate org.eclipse.ui.intro
/org.eclipse.ui.intro.universal
....
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.*
.....
Comment 22 Dave Hodgins 2021-12-19 22:37:08 CET 
Strange. The package jetty has no requires, suggests, recommends or files.
I'd expect it to be a task package that would require at least some of the other
packages, but as is, it serves no purpose. That however is not a regression.

According to https://www.eclipse.org/jetty/documentation/jetty-9/index.html#quick-start there is supposed to be a start.jar file. That's missing, but again that is
not a regression.

With the current directory /usr/share/java/jetty running
# java -jar jetty-client.jar 
no main manifest attribute, in jetty-client.jar

Seems there is no main manifest attribute in any of the jetty jar files.

This seems to be an unusable package, unless there are Mageia specific
instructions provided for how it's supposed to be run.

There is an open bug report, bug 8592 from 6 years ago. I suspect no one has used
it since then and updates just passed based on clean install over the release
version since then.

If I'm correct that the package is completely broken, it should be dropped from
cauldron, and not updated further for Mageia 8.

CC: (none) => davidwhodgins

Comment 23 David Walser 2022-08-03 00:50:14 CEST 
Debian has issued an advisory today (August 2):
https://www.debian.org/security/2022/dsa-5198

The issues are fixed upstream in 9.4.47:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

Mageia 8 is also affected.

Whiteboard: (none) => MGA8TOO
Keywords: feedback => (none)
Status comment: (none) => Fixed upstream in 9.4.47
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89], CVE-2022-204[78]
Version: 8 => Cauldron
Severity: major => critical
Assignee: qa-bugs => java

Comment 24 Nicolas Salguero 2024-03-15 09:52:22 CET 
Hi,

After looking at that package, I think that it cannot do anything useful since we switched it to a minimal build (because we had to drop dependencies needed to build it completely).

It is required by no other package so, IMHO, it should be dropped from Cauldron and we could close that bug as WONTFIX because, even if it has security issues in the code, nobody can exploit them.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 25 David Walser 2024-03-15 14:29:53 CET 
Sounds good.
Comment 26 Nicolas Salguero 2024-03-15 15:06:42 CET 
done

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Comment 27 David GEIGER 2024-03-15 15:40:06 CET 
Are you sure??? jetty do not provides just one pkg but some others:

jetty-9.4.43-2.mga9.src.rpm provides:

jetty-9.4.43-2.mga9.noarch.rpm
jetty-xml-9.4.43-2.mga9.noarch.rpm
jetty-jmx-9.4.43-2.mga9.noarch.rpm
jetty-webapp-9.4.43-2.mga9.noarch.rpm
jetty-security-9.4.43-2.mga9.noarch.rpm
jetty-servlet-9.4.43-2.mga9.noarch.rpm
jetty-io-9.4.43-2.mga9.noarch.rpm
jetty-http-9.4.43-2.mga9.noarch.rpm
jetty-jaas-9.4.43-2.mga9.noarch.rpm
jetty-client-9.4.43-2.mga9.noarch.rpm
jetty-continuation-9.4.43-2.mga9.noarch.rpm
jetty-util-ajax-9.4.43-2.mga9.noarch.rpm
jetty-server-9.4.43-2.mga9.noarch.rpm
jetty-util-9.4.43-2.mga9.noarch.rpm
jetty-javadoc-9.4.43-2.mga9.noarch.rpm

CC: (none) => geiger.david68210

Comment 28 David GEIGER 2024-03-15 15:41:05 CET 
I do not see any reason to drop it right now!
Comment 29 David Walser 2024-03-15 17:25:27 CET 
Is there a reason to keep it?  IIRC it was originally imported as a dep of Eclipse, which we've since dropped.  Also, Claire filed a bug several years ago for it using a port which didn't match the documentation, which was completely ignored.
Comment 30 Dave Hodgins 2024-03-15 18:31:25 CET 
$ urpmq --whatrequires-recursive jetty-io|grep -v ^jetty|sort -u
buildnumber-maven-plugin
java-diff-utils-jgit
jboss-parent
jgit
maven-scm
maven-scm-test
shrinkwrap-depchain
shrinkwrap-depchain-java7
shrinkwrap-parent
Note You need to log in before you can comment on or make changes to this bug.