[jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800

Greg Wilkins
Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform.
The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed.     Only resources within the webapp are vulnerable.

The issue was fixed in release jetty-9.3.9, which is available via eclipse download or in the maven central repository.  A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character.


This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names.   Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability.  Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is  good security practise is to install a deny constraint on all URIs and then selectively allow specific URIs.

The CVE is not yet visible in the NVD database.

The Jetty team would like to acknowledge the assistance of ocert in finding and handling this issue.

--

_______________________________________________
jetty-announce mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-announce