java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

  • Done
  • quality assurance status badge
Details
2 participants
  • Julien Lepiller
  • Léo Le Bouter
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 2 Apr 2021 12:37
(address . bug-guix@gnu.org)
0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net
CVE-2021-28165 01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164 01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163 01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvN
EKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5U
ziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ
0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClX
EFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG
573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1
WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30
L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdx
aZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2
Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJ
c8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoC
ENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk=
=qIqk
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 2 Apr 2021 12:38
(address . control@debbugs.gnu.org)
80f09be2c4e04dd5b685fca546d6de5c3caaad4e.camel@zaclys.net
tags 47562 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm9CUACgkQRaix6GvN
EKaPZg//QJ6IflV0WWhPrCLPbRvFuKe8Z4gBkdelS5B0aW9N5TfIB6NoGa+CpMu1
lvrlTgFTQFooGUm2r7sZono52NSSXbG0cdMQM8SSN1ht26z4GhbH/wzsNjQWXuQs
U4AtcTOKp6Y+6RQl3JuGyRz/iIZN8A1NyRerDnz0OJCCdRsJby2HwmK5Hg4ebM4s
pKylWztXgU1AoOa5qT7VIf5u+1HHda02BeapZfDWVmojjz0sZX1Eu5lcbCZwZaG2
aVFwvPxUIOS0FpIdoA0X2qNnBrK4zHKaegkBKk6CQ0OkPUZ7IxjZwKjHrPl8PHRx
Jcvis6YodowTXrLQWIJZJWanNMI8hcodVKbFJLBwLib4eIXQLxp5LkJ/Hi7SEX0h
bZ8O+wFSbAJG2djwOmthvombLZ9QN+4lqdKBJfdKv2C2UW8CjlRGl0FnQTl1Wo1V
MugnIublRWGgzGaz46VYG7PEnWaJG8GuCXVrEKNXv/hN7RZtkihkrYCo3IS6RAGU
/agnsXOAEWtwF/VMCfVzLvfggIvpVwtGa8GdpsL8XK655wvwiz5cVqLmLOo0qM23
RcFnuBsgacca2Wijlsr24Eb2cvRBTR4ncuoWWXE4dpXVrXh4e6oYba7CGLPdOGEu
UNAEVHZ0UQMYztIQgGkJmPBugZgvtrpVSUATkK6gZlCqbjim58g=
=NetN
-----END PGP SIGNATURE-----


J
J
Julien Lepiller wrote on 2 Apr 2021 13:18
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
20210402131805.3ade4377@tachikoma.lepiller.eu
Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

Toggle quote (22 lines)
> CVE-2021-28165 01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>
> CVE-2021-28164 01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>
> CVE-2021-28163 01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks Léo for noticing this!
J
J
Julien Lepiller wrote on 12 Apr 2021 16:41
Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
(address . 47562-done@debbugs.gnu.org)
20210412164138.6d23eed8@tachikoma.lepiller.eu
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
Closed
?