[jetty-dev] Indexing/Listing Vulnerability in Jetty

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[jetty-dev] Indexing/Listing Vulnerability in Jetty

Chris Walker

Hello!

Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.

We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website.

Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root "/" namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.

As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.

Versions affected: 

  •   9.2.26 and older (now EOL)
  •   9.3.25 and older
  •   9.4.15 and older
Resolved: 

  • 9.2.28.v20190418
  • 9.3.27.v20190418
  • 9.4.17.v20190418

Best Regards,
The Webtide Team


_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev
Reply | Threaded
Open this post in threaded view
|

Re: [jetty-dev] [jetty-users] Indexing/Listing Vulnerability in Jetty

Joakim Erdfelt-8
Before you go changing things, start with just using Server.setDumpAfterStart(true); or use WebAppContext.dump() to see what's the truth about your app.
If you have a DefaultServlet present on your WebAppContext, then you'll want to pay attention.

You can turn off Directory Listings instead of upgrading ...

If you have a WEB-INF/web.xml you can use the following snippet.

<servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
   <init-param>
     <param-name>dirAllowed</param-name>
     <param-value>false</param-value>
   </init-param>
   ... (other init) ...
   <load-on-startup>0</load-on-startup>
 </servlet>

Or you can simply use an alternate webdefault.xml via the WebAppContext.setDefaultsDescriptor(String defaultsDescriptorLocation)
Just copy the existing webdefault.xml and edit it to suit your needs.

The alternate Default Descriptor can also be configured via the DeploymentManager and the  WebAppProvider.setDefaultsDescriptor(String), which will be used with all deployed WebAppContext's.

Joakim Erdfelt / [hidden email]


On Mon, Apr 22, 2019 at 5:06 PM <[hidden email]> wrote:

So the answer is “no, you need to upgrade.” :)

Thank you for the very quick reply.

 

 

 

From: [hidden email] <[hidden email]> On Behalf Of Joakim Erdfelt
Sent: Monday, April 22, 2019 15:04
To: JETTY user mailing list <[hidden email]>
Cc: Jetty @ Eclipse developer discussion list <[hidden email]>; Jetty Announce @ Eclipse <[hidden email]>
Subject: Re: [jetty-users] Indexing/Listing Vulnerability in Jetty

 

DefaultServlet is added by default if using a WebAppContext.

Why? well, the WebAppContext loads the webdefault.xml from system resources, which has the DefaultServlet present.

That same webdefault.xml has `dirAllowed` set to true by default.

 

The DefaultHandler is only present if you specifically set it up to use it.

The jetty-home (and the older jetty-distribution) usages do set it up by default, but embedded-jetty has no such behavior.


Joakim Erdfelt / [hidden email]

 

 

On Mon, Apr 22, 2019 at 4:11 PM <[hidden email]> wrote:

Thank you for all of your excellent work over the years.

I am using a customized, embedded version of Jetty (which is an OSS project that I hope to publicly launch soon!) that does not use either one. I’m ok, right? (Although it would not be a big deal to upgrade to the latest Jetty, so maybe I should upgrade anyhow.)

Thanks

--Steve

 

From: [hidden email] <[hidden email]> On Behalf Of Chris Walker
Sent: Monday, April 22, 2019 11:32
To: JETTY user mailing list <[hidden email]>; Jetty @ Eclipse developer discussion list <[hidden email]>; [hidden email]
Subject: [jetty-users] Indexing/Listing Vulnerability in Jetty

 

Hello!

Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.

We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website.

Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root "/" namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.

As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.

Versions affected: 

  •   9.2.26 and older (now EOL)
  •   9.3.25 and older
  •   9.4.15 and older

Resolved: 

  • 9.2.28.v20190418
  • 9.3.27.v20190418
  • 9.4.17.v20190418

Best Regards,
The Webtide Team

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-dev mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-dev