https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Bug ID: 1945712 Summary: CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, ataylor@redhat.com, bibryam@redhat.com, bmontgom@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, eric.wittmann@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, jburrell@redhat.com, jjohnstn@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jross@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, lhh@redhat.com, lpeer@redhat.com, mat.booth@gmail.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, nstielau@redhat.com, pantinor@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, swoodman@redhat.com, tzimanyi@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1945713
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1945713 [Bug 1945713] CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1945713]
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1945716
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.4.39
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #2 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abenaiss@redhat.com, | |aos-bugs@redhat.com, | |pbhattac@redhat.com, | |sd-operator-metering@redhat | |.com, tflannag@redhat.com, | |vbobade@redhat.com
--- Doc Text *updated* --- In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
--- Comment #3 from Przemyslaw Roguski proguski@redhat.com --- The issue was introduced with version 9.4.37. Older versions of jetty are not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|akoufoud@redhat.com, | |alazarot@redhat.com, | |almorale@redhat.com, | |anstephe@redhat.com, | |etirelli@redhat.com, | |ibek@redhat.com, | |jstastny@redhat.com, | |krathod@redhat.com, | |kverlaen@redhat.com, | |mnovotny@redhat.com, | |pjindal@redhat.com, | |rrajasek@redhat.com, | |tzimanyi@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #5 from Przemyslaw Roguski proguski@redhat.com --- Upstream patch: https://github.com/eclipse/jetty.project/commit/d80c622b005c044e93f585c231b4...
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #6 from Anten Skrabec askrabec@redhat.com --- Statement:
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #7 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #8 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952067, 1952066
https://bugzilla.redhat.com/show_bug.cgi?id=1945712 Bug 1945712 depends on bug 1945713, which changed state.
Bug 1945713 Summary: CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1945713
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Developer Tools
Via RHSA-2021:1509 https://access.redhat.com/errata/RHSA-2021:1509
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-05-06 20:34:03
--- Comment #14 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-28164
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.6.4
Via RHSA-2021:1560 https://access.redhat.com/errata/RHSA-2021:1560
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #16 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Integration Red Hat Integration Service Registry as having a low impact, although Service Registry distributes Jetty as part of Kafka Connect component it is not available in the productised release, meaning jetty is also not available for use by the end application developer.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.2
Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.8.0
Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.9.0
Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHAF Camel-K 1.8
Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:6407
eclipse-sig@lists.stg.fedoraproject.org