Bug 29034 - jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89]
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks: 27649
  Show dependency treegraph
 
Reported: 2021-05-30 00:18 CEST by David Walser
Modified: 2021-08-26 18:33 CEST (History)
4 users (show)

See Also:
Source RPM: jetty-9.4.35-1.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 9.4.43


Attachments

Description David Walser 2021-05-30 00:18:57 CEST
Fedora has issued an advisory on April 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/

The only CVE explicitly listed is CVE-2021-28163, fixed in 9.4.39.

There are more, here are the upstream advisories:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

CVE-2021-2816[34] only affect Mageia 8.  The others also affect Mageia 7.
David Walser 2021-05-30 00:19:16 CEST

Blocks: (none) => 27649
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 9.4.39

Comment 1 David Walser 2021-06-21 19:11:08 CEST
Debian-LTS has issued an advisory on June 17:
https://www.debian.org/lts/security/2021/dla-2688

The issue is fixed upstream in 9.4.41:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq

Mageia 7 and Mageia 8 are also affected.

Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9]
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Status comment: Fixed upstream in 9.4.39 => Fixed upstream in 9.4.41
Version: 8 => Cauldron

Comment 2 David Walser 2021-06-21 19:36:58 CEST
SUSE has issued an advisory for this on June 17:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009033.html

They updated to 9.4.42.
Comment 3 David Walser 2021-07-01 18:55:36 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 4 David Walser 2021-07-12 17:35:05 CEST
openSUSE has issued an advisory for this on July 11:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/
Comment 5 Nicolas Lécureuil 2021-07-23 18:05:53 CEST
cauldron is fixed.

I update mga8 to version 9.4.42.

A test to do is to see if eclipse still starts with new jetty


src:
    - jetty-9.4.42-1.mga8

Whiteboard: MGA8TOO => (none)
Assignee: java => qa-bugs
Status comment: Fixed upstream in 9.4.41 => (none)
CC: (none) => mageia
Version: Cauldron => 8

Comment 6 David Walser 2021-07-23 18:29:59 CEST
jetty-9.4.42-1.mga8
jetty-client-9.4.42-1.mga8
jetty-util-9.4.42-1.mga8
jetty-server-9.4.42-1.mga8
jetty-http-9.4.42-1.mga8
jetty-io-9.4.42-1.mga8
jetty-servlet-9.4.42-1.mga8
jetty-webapp-9.4.42-1.mga8
jetty-xml-9.4.42-1.mga8
jetty-security-9.4.42-1.mga8
jetty-util-ajax-9.4.42-1.mga8
jetty-jmx-9.4.42-1.mga8
jetty-jaas-9.4.42-1.mga8
jetty-continuation-9.4.42-1.mga8
jetty-javadoc-9.4.42-1.mga8

from jetty-9.4.42-1.mga8.src.rpm
Comment 7 Aurelien Oudelet 2021-07-23 22:33:27 CEST
Advisory:
========================

Updated jetty packages fix security vulnerabilities:

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and
11.0.0 when Jetty handles a request containing multiple Accept headers with a
large number of “quality” (i.e. q) parameters, the server may enter
a denial of service (DoS) state due to high CPU usage processing those quality
values, resulting in minutes of CPU time exhausted processing those quality
values (CVE-2020-27223).

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory
(CVE-2021-28163).

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application (CVE-2021-28164).

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to
11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
(CVE-2021-28165).

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected
resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive
information regarding the implementation of a web application (CVE-2021-28169).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29034
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28164
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
 - https://www.debian.org/lts/security/2021/dla-2688
========================

Updated packages in core/updates_testing:
========================
jetty-9.4.42-1.mga8
jetty-client-9.4.42-1.mga8
jetty-util-9.4.42-1.mga8
jetty-server-9.4.42-1.mga8
jetty-http-9.4.42-1.mga8
jetty-io-9.4.42-1.mga8
jetty-servlet-9.4.42-1.mga8
jetty-webapp-9.4.42-1.mga8
jetty-xml-9.4.42-1.mga8
jetty-security-9.4.42-1.mga8
jetty-util-ajax-9.4.42-1.mga8
jetty-jmx-9.4.42-1.mga8
jetty-jaas-9.4.42-1.mga8
jetty-continuation-9.4.42-1.mga8
jetty-javadoc-9.4.42-1.mga8

from jetty-9.4.42-1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 8 Herman Viaene 2021-07-27 15:34:46 CEST
MGA8-64 Plasma on Lenovo B50
No apparent installation issues.
Tried to follow bug 21202 Len's tests, but ....
$ export JETTY_HOME=/usr/share/jetty
$ export JETTY_BASE=/home/tester8/Documenten/jetty/
$ java -jar $JETTY_HOME/start.jar --create-startd
Error: Unable to access jarfile /usr/share/jetty/start.jar
Checked and found no start.jar, checked MCC and package jetty shows:no files found. That doesn't seem normal to me.

CC: (none) => herman.viaene

Comment 9 Len Lawrence 2021-07-28 19:53:37 CEST
I can confirm Herman's findings.  No /usr/share/jetty directory but there is a /usr/share/java/jetty directory without start.jar.  start.jar does not exist.
There are client and server jars however so maybe the startup process has changed.  Shall look into it.
This link was last updated about a year ago https://zetcode.com/java/jetty/introduction/ and implies that the start.jar resource file should be available as part of the tarball.  This is what should be in JETTY_HOME according to the docs:
$ ls -F
bin/        lib/                        modules/     resources/  start.jar
demo-base/  license-eplv10-aslv20.html  notice.html  start.d/    VERSION.txt
etc/        logs/                       README.TXT   start.ini   webapps/

For jetty the licences can be found here under /usr/share/licenses:
jetty-javadoc:
LICENSE  LICENSE-MIT  NOTICE.txt

jetty-util:
LICENSE  LICENSE-MIT  NOTICE.txt

Official reference documentation at https://www.eclipse.org/jetty/documentation.php.  Apparently jetty has reached version 11 but there is still documentation for version 9.  That also talks about starting things off with the start.jar file so it does seem that we should have it.  Maybe Nicolas can throw some light on this.

Keywords: (none) => feedback
CC: (none) => tarazed25

Comment 10 David Walser 2021-08-05 18:44:50 CEST
Debian has issued an advisory for this on August 4:
https://www.debian.org/security/2021/dsa-4949

It also lists CVE-2021-34428, fixed upstream in 9.4.41, also fixed in this update:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6

Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428

Comment 11 David Walser 2021-08-26 17:56:25 CEST
SUSE has issued an advisory on August 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html

The issue is fixed upstream in 9.4.43:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

Keywords: feedback => (none)
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Assignee: qa-bugs => java
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428 => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89]
Status comment: (none) => Fixed upstream in 9.4.43

Comment 12 David Walser 2021-08-26 18:33:35 CEST
(In reply to David Walser from comment #11)
> SUSE has issued an advisory on August 25:
> https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html
> 
> The issue is fixed upstream in 9.4.43:
> https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-
> 65vm

openSUSE has issued an advisory for this on August 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3BXMLXWW5ACU3IDNEEUVRZ3WYWHNGPZM/

Note You need to log in before you can comment on or make changes to this bug.