[jetty-announce] CVE-2015-2080 : JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jetty-announce] CVE-2015-2080 : JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty

Joakim Erdfelt-9

A Security Vulnerability in Jetty 9.2.3.v20140905 through 9.2.8.v20150217 (including 9.3.0.M0 and 9.3.0.M1 currently in beta/milestones) was recently discovered by Gotham Digital Science and Stephen Komal.


Note: Jetty 9.2.9.v20150224 release has fix.  A new release of Jetty 9.3.0 (currently in unstable beta/milestones) is being worked on.


The details of the vulnerability can be found both at blogs.gdssecurity.com and at github.com/eclipse/jetty.project.


We would like to thank Gotham Digital Science and Stephen Komal on their timely notice and excellent detailed analysis on this issue. Based on their feedback we were able to quickly resolve the problem and determine the necessary steps to take to remediate the issue.  


We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base.  We independently made the decision to publish the details of this vulnerability well ahead of the normal CVE disclosure process.


Timeline:

  • Feb 23, 2015 - The general Jetty Project committer base was made aware of vulnerability

  • Feb 23, 2015 - Validation of the vulnerability, and its root cause were quickly determined to be a bad implementation of a feature request for more details on HttpParser parsing errors.

  • Feb 24, 2015 - A patch was finalized, tested, and a new release of Jetty 9.2.9 was published with this fix in place.


For the commercial support of Jetty please consider working with Webtide which is the company that fully funds the ongoing development of the Jetty project through services and support.  


--
Joakim Erdfelt <[hidden email]>
Expert advice, services and support from from the Jetty & CometD experts

_______________________________________________
jetty-announce mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-announce