java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

DoneSubmitted by Léo Le Bouter.
Details
2 participants
  • Julien Lepiller
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 2 Apr 12:37 +0200
(address . bug-guix@gnu.org)
0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net
CVE-2021-28165 01.04.21 17:15In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving alarge invalid TLS frame.
CVE-2021-28164 01.04.21 17:15In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the defaultcompliance mode allows requests with URIs that contain %2e or %2e%2esegments to access protected resources within the WEB-INF directory.For example a request to /context/%2e/WEB-INF/web.xml can retrieve theweb.xml file. This can reveal sensitive information regarding theimplementation of a web application.
CVE-2021-28163 01.04.21 17:15In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is asymlink, the contents of the webapps directory is deployed as a staticwebapp, inadvertently serving the webapps themselves and anything elsethat might be in that directory.
The fix is to upgrade to latest version, currently: 9.4.39.v20210325
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvNEKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5UziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClXEFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdxaZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJc8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoCENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk==qIqk-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 2 Apr 12:38 +0200
(address . control@debbugs.gnu.org)
80f09be2c4e04dd5b685fca546d6de5c3caaad4e.camel@zaclys.net
tags 47562 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm9CUACgkQRaix6GvNEKaPZg//QJ6IflV0WWhPrCLPbRvFuKe8Z4gBkdelS5B0aW9N5TfIB6NoGa+CpMu1lvrlTgFTQFooGUm2r7sZono52NSSXbG0cdMQM8SSN1ht26z4GhbH/wzsNjQWXuQsU4AtcTOKp6Y+6RQl3JuGyRz/iIZN8A1NyRerDnz0OJCCdRsJby2HwmK5Hg4ebM4spKylWztXgU1AoOa5qT7VIf5u+1HHda02BeapZfDWVmojjz0sZX1Eu5lcbCZwZaG2aVFwvPxUIOS0FpIdoA0X2qNnBrK4zHKaegkBKk6CQ0OkPUZ7IxjZwKjHrPl8PHRxJcvis6YodowTXrLQWIJZJWanNMI8hcodVKbFJLBwLib4eIXQLxp5LkJ/Hi7SEX0hbZ8O+wFSbAJG2djwOmthvombLZ9QN+4lqdKBJfdKv2C2UW8CjlRGl0FnQTl1Wo1VMugnIublRWGgzGaz46VYG7PEnWaJG8GuCXVrEKNXv/hN7RZtkihkrYCo3IS6RAGU/agnsXOAEWtwF/VMCfVzLvfggIvpVwtGa8GdpsL8XK655wvwiz5cVqLmLOo0qM23RcFnuBsgacca2Wijlsr24Eb2cvRBTR4ncuoWWXE4dpXVrXh4e6oYba7CGLPdOGEuUNAEVHZ0UQMYztIQgGkJmPBugZgvtrpVSUATkK6gZlCqbjim58g==NetN-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 2 Apr 13:18 +0200
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
20210402131805.3ade4377@tachikoma.lepiller.eu
Le Fri, 02 Apr 2021 12:37:27 +0200,Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :
Toggle quote (22 lines)> CVE-2021-28165 01.04.21 17:15> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a> large invalid TLS frame.> > CVE-2021-28164 01.04.21 17:15> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default> compliance mode allows requests with URIs that contain %2e or %2e%2e> segments to access protected resources within the WEB-INF directory.> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the> web.xml file. This can reveal sensitive information regarding the> implementation of a web application.> > CVE-2021-28163 01.04.21 17:15> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a> symlink, the contents of the webapps directory is deployed as a static> webapp, inadvertently serving the webapps themselves and anything else> that might be in that directory.> > The fix is to upgrade to latest version, currently: 9.4.39.v20210325
Hi Guix!
attached is a patch for these security issues. I'm not very happy withthem, because I had to do many things, but when updating 4 yo packages,it's somewhat expected.
The packages now require junit 5 to run the tests, so I had to disablethem, and dependencies have changed a bit, with the notable addition ofutil-ajax. Unfortunately, I cannot update the 9.2.* versions, andjetty-test-classes fails to build, though it's not needed anymore asit's only used during tests.
I believe I added these packages initially only because I didn't wantusers to mistakenly install the 9.2.* versions that were not the latestat the time. We might want to update to jetty 11 or figure out how tobuild junit 5, which has quite a complex dependency graph, with a fewcycles.
Thanks Léo for noticing this!
From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001From: Julien Lepiller <julien@lepiller.eu>Date: Fri, 2 Apr 2021 12:55:16 +0200Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security fixes].
Fixes CVE-2021-28165 - jetty server high CPU when client send data length >17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Excludewebapps directory from deployment scan.
* gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39.(java-eclipse-jetty-util-ajax): New variable.(java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http)(java-eclipse-jetty-jmx, java-eclipse-jetty-server)(java-eclipse-jetty-security, java-eclipse-jetty-servlet)(java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests.[native-inputs]: Remove test dependencies.--- gnu/packages/web.scm | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-)
Toggle diff (147 lines)diff --git a/gnu/packages/web.scm b/gnu/packages/web.scmindex 7bc638ba88..7b0aee3b31 100644--- a/gnu/packages/web.scm+++ b/gnu/packages/web.scm@@ -6830,18 +6830,19 @@ Web Server.") (define-public java-eclipse-jetty-util (package (name "java-eclipse-jetty-util")- (version "9.4.6")+ (version "9.4.39") (source (origin (method url-fetch) (uri (string-append "https://github.com/eclipse/jetty.project/"- "archive/jetty-" version ".v20170531.tar.gz"))+ "archive/jetty-" version ".v20210325.tar.gz")) (sha256 (base32- "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1"))))+ "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19")))) (build-system ant-build-system) (arguments `(#:jar-name "eclipse-jetty-util.jar" #:source-dir "src/main/java"+ #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; requires network@@ -6860,11 +6861,6 @@ Web Server.") (inputs `(("slf4j" ,java-slf4j-api) ("servlet" ,java-javaee-servletapi)))- (native-inputs- `(("junit" ,java-junit)- ("hamcrest" ,java-hamcrest-all)- ("perf-helper" ,java-eclipse-jetty-perf-helper)- ("test-helper" ,java-eclipse-jetty-test-helper))) (home-page "https://www.eclipse.org/jetty/") (synopsis "Utility classes for Jetty") (description "The Jetty Web Server provides an HTTP server and Servlet@@ -6925,6 +6921,7 @@ or embedded instantiation. This package provides utility classes.") `(#:jar-name "eclipse-jetty-io.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8+ #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; Abstract class "**/EndPointTest.java")@@ -6966,6 +6963,7 @@ or embedded instantiation. This package provides IO-related utility classes.")) `(#:jar-name "eclipse-jetty-http.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8+ #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir@@ -7101,9 +7099,6 @@ or embedded instantiation. This package provides the JMX management."))) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("util" ,java-eclipse-jetty-util)))- (native-inputs- `(("test-classes" ,java-eclipse-jetty-http-test-classes)- ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Core jetty server artifact") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone@@ -7133,6 +7128,7 @@ artifact."))) `(#:jar-name "eclipse-jetty-security.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8+ #:tests? #f; require junit 5 #:test-exclude (list "**/ConstraintTest.*") ; This test fails #:phases (modify-phases %standard-phases@@ -7146,9 +7142,6 @@ artifact."))) ("http" ,java-eclipse-jetty-http) ("server" ,java-eclipse-jetty-server) ("util" ,java-eclipse-jetty-util)))- (native-inputs- `(("io" ,java-eclipse-jetty-io)- ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Jetty security infrastructure") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone@@ -7169,6 +7162,18 @@ infrastructure"))) `(("io" ,java-eclipse-jetty-io-9.2) ,@(package-native-inputs java-eclipse-jetty-util-9.2))))) +(define-public java-eclipse-jetty-util-ajax+ (package+ (inherit java-eclipse-jetty-util)+ (name "java-eclipse-jetty-util-ajax")+ (arguments+ `(#:jar-name "eclipse-jetty-util-ajax.jar"+ #:source-dir "jetty-util-ajax/src/main/java"+ #:tests? #f)); require junit 5+ (inputs+ `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)+ ("java-javaee-servletapi" ,java-javaee-servletapi)))))+ (define-public java-eclipse-jetty-servlet (package (inherit java-eclipse-jetty-util)@@ -7177,6 +7182,7 @@ infrastructure"))) `(#:jar-name "eclipse-jetty-servlet.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8+ #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir@@ -7186,8 +7192,8 @@ infrastructure"))) (inputs `(("slf4j" ,java-slf4j-api) ("java-javaee-servletapi" ,java-javaee-servletapi)+ ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax) ("http" ,java-eclipse-jetty-http)- ("http-test" ,java-eclipse-jetty-http-test-classes) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("security" ,java-eclipse-jetty-security)@@ -7277,6 +7283,7 @@ container."))) `(#:jar-name "eclipse-jetty-webapp.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8+ #:tests? #f; require junit 5 ;; One test fails #:test-exclude (list "**/WebAppContextTest.java") #:phases@@ -7288,14 +7295,12 @@ container."))) (inputs `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util) ("java-eclipse-jetty-http" ,java-eclipse-jetty-http)+ ("java-eclipse-jetty-io" ,java-eclipse-jetty-io) ("java-eclipse-jetty-server" ,java-eclipse-jetty-server) ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet) ("java-eclipse-jetty-security" ,java-eclipse-jetty-security) ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml)- ("java-javaee-servletapi" ,java-javaee-servletapi)))- (native-inputs- `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io)- ,@(package-native-inputs java-eclipse-jetty-util)))))+ ("java-javaee-servletapi" ,java-javaee-servletapi))))) (define-public java-eclipse-jetty-webapp-9.2 (package-- 2.31.0
J
J
Julien Lepiller wrote on 12 Apr 16:41 +0200
Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
(address . 47562-done@debbugs.gnu.org)
20210412164138.6d23eed8@tachikoma.lepiller.eu
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
Closed
?