Re: Indexing/Listing Vulnerability in Jetty

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Indexing/Listing Vulnerability in Jetty

Steve Sobol - Lobos Studios

Thank you for all of your excellent work over the years.

I am using a customized, embedded version of Jetty (which is an OSS project that I hope to publicly launch soon!) that does not use either one. I’m ok, right? (Although it would not be a big deal to upgrade to the latest Jetty, so maybe I should upgrade anyhow.)

Thanks

--Steve

 

From: [hidden email] <[hidden email]> On Behalf Of Chris Walker
Sent: Monday, April 22, 2019 11:32
To: JETTY user mailing list <[hidden email]>; Jetty @ Eclipse developer discussion list <[hidden email]>; [hidden email]
Subject: [jetty-users] Indexing/Listing Vulnerability in Jetty

 

Hello!

Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.

We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website.

Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root "/" namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.

As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.

Versions affected: 

  •   9.2.26 and older (now EOL)
  •   9.3.25 and older
  •   9.4.15 and older

Resolved: 

  • 9.2.28.v20190418
  • 9.3.27.v20190418
  • 9.4.17.v20190418

Best Regards,
The Webtide Team


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Indexing/Listing Vulnerability in Jetty

Steve Sobol - Lobos Studios

So the answer is “no, you need to upgrade.” :)

Thank you for the very quick reply.

 

 

 

From: [hidden email] <[hidden email]> On Behalf Of Joakim Erdfelt
Sent: Monday, April 22, 2019 15:04
To: JETTY user mailing list <[hidden email]>
Cc: Jetty @ Eclipse developer discussion list <[hidden email]>; Jetty Announce @ Eclipse <[hidden email]>
Subject: Re: [jetty-users] Indexing/Listing Vulnerability in Jetty

 

DefaultServlet is added by default if using a WebAppContext.

Why? well, the WebAppContext loads the webdefault.xml from system resources, which has the DefaultServlet present.

That same webdefault.xml has `dirAllowed` set to true by default.

 

The DefaultHandler is only present if you specifically set it up to use it.

The jetty-home (and the older jetty-distribution) usages do set it up by default, but embedded-jetty has no such behavior.


Joakim Erdfelt / [hidden email]

 

 

On Mon, Apr 22, 2019 at 4:11 PM <[hidden email]> wrote:

Thank you for all of your excellent work over the years.

I am using a customized, embedded version of Jetty (which is an OSS project that I hope to publicly launch soon!) that does not use either one. I’m ok, right? (Although it would not be a big deal to upgrade to the latest Jetty, so maybe I should upgrade anyhow.)

Thanks

--Steve

 

From: [hidden email] <[hidden email]> On Behalf Of Chris Walker
Sent: Monday, April 22, 2019 11:32
To: JETTY user mailing list <[hidden email]>; Jetty @ Eclipse developer discussion list <[hidden email]>; [hidden email]
Subject: [jetty-users] Indexing/Listing Vulnerability in Jetty

 

Hello!

Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.

We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website.

Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root "/" namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.

As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.

Versions affected: 

  •   9.2.26 and older (now EOL)
  •   9.3.25 and older
  •   9.4.15 and older

Resolved: 

  • 9.2.28.v20190418
  • 9.3.27.v20190418
  • 9.4.17.v20190418

Best Regards,
The Webtide Team

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users