https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Bug ID: 1902826 Summary: CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: abenaiss@redhat.com, aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, ataylor@redhat.com, bmontgom@redhat.com, btofel@redhat.com, chazlett@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcoleman@redhat.com, jjohnstn@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, mat.booth@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pbhattac@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, sd-operator-metering@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, tcunning@redhat.com, tkirby@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-...
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1902827
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1902827 [Bug 1902827] CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #2 from Paramvir jindal pjindal@redhat.com --- RHSSO doesn't ship Jetty at all, just adapters that can be deployed on top of Jetty.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty-9.4.35.v20201120, | |jetty-10.0.0.beta3, | |jetty-11.0.0.beta3
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #4 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss AMQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #8 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-...
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891693
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891694
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891695
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1905620
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com/b | |rowse/ENTESB-15384, | |https://issues.redhat.com/b | |rowse/ENTESB-15385, | |https://issues.redhat.com/b | |rowse/ENTMQBR-4315
--- Comment #10 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #11 from Jonathan Christison jochrist@redhat.com --- A word on scoring, our scoring is currently 4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L and NVD score of 3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
My take:
Exploitability Metrics:
Attack Vector Network (AV:N) - Agree here, Jetty is both a HTTP server and client, in the context of this vulnerability it is the server that is affected, the component is commonly bound to the network stack and also commonly a WAN facing service.
Attack Complexity High (AC:H)
We agree here, the attack complexity is high because there are elements outside of GzipHandler being enabled there are other factors outside the attackers control, these factors are
*) The end application doesn't contain any logic to handle connection closure
*) The end application doesn't fully consume a gzipped POST request
*) There is an element of chance as to if the recycled buffer will be used in such a way to allow an attack, for example differences in network speed, OS buffers and dispatching threads will all have a varying impact, meaning this attack will need to be tailored to each specific target by the attacker
Privileges Required None (PR:N) - Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw.
User Interaction None (UI:N) Agree here, a end user does not need to be coerced into performing any action for this flaw.
Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw
Impact Metrics:
Confidentiality None (C:N) Agree here, this is a blind attack and relies on a POST request, there is no information the attacker can divulge
Integrity Low (I:L) We agree here, if the attacker is able to overcome the attack complexity and predictably exploit the buffer then the contents of other POST requests can be altered meaning data modification is taking place but given the complexities of the attack the attacker has not have control over the consequences of the modification.
Availability Low (A:N -> A:L) We disagree here with the original scoring of None for availability, the attack if successful will in many situations cause an exception when two request bodies are combined, depending on end application handling of these exceptions this could mean interruption to other users of the http service.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|11 |updated
--- Comment #11 has been edited ---
A word on scoring, our scoring is currently 4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L and NVD score of 3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
My take:
Exploitability Metrics:
Attack Vector Network (AV:N) - Agree here, Jetty is both a HTTP server and client, in the context of this vulnerability it is the server that is affected, the component is commonly bound to the network stack and also commonly a WAN facing service.
Attack Complexity High (AC:H)
We agree here, the attack complexity is high because there are elements outside of GzipHandler being enabled there are other factors outside the attackers control, these factors are
*) The end application doesn't contain any logic to handle connection closure
*) The end application doesn't fully consume a gzipped POST request
*) There is an element of chance as to if the recycled buffer will be used in such a way to allow an attack, for example differences in network speed, OS buffers and dispatching threads will all have a varying impact, meaning this attack will need to be tailored to each specific target by the attacker
Privileges Required None (PR:N) - Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw.
User Interaction None (UI:N) Agree here, a end user does not need to be coerced into performing any action for this flaw.
Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw
Impact Metrics:
Confidentiality None (C:N) Agree here, this is a blind attack and relies on a POST request, there is no information the attacker can divulge
Integrity Low (I:L) We agree here, if the attacker is able to overcome the attack complexity and predictably exploit the buffer then the contents of other POST requests can be altered meaning data modification is taking place, but given the complexities of the attack the attacker does not have control over the consequences of the modification.
Availability Low (A:N -> A:L) We disagree here with the original scoring of None for availability, the attack if successful will in many situations cause an exception when two request bodies are combined, depending on end application handling of these exceptions this could mean interruption to other users of the http service.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com// | |browse/ENTESB-15384, | |https://issues.redhat.com// | |browse/ENTESB-15385, | |https://issues.redhat.com// | |browse/ENTMQBR-4315
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com// | |browse/RHECLIPSE-328 Depends On| |1907765
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ LTS 7.4.6
Via RHSA-2021:0329 https://access.redhat.com/errata/RHSA-2021:0329
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0329
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.1
Via RHSA-2021:0417 https://access.redhat.com/errata/RHSA-2021:0417
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0417
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-02-04 14:41:45
--- Comment #15 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-27218
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #16 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1902826 Bug 1902826 depends on bug 1902827, which changed state.
Bug 1902827 Summary: CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1902827
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952337
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952340
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Adam Kaplan adam.kaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1972361
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1972361 [Bug 1972361] Bump jenkins version to 2.289.1
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1902826 Bug 1902826 depends on bug 1972361, which changed state.
Bug 1972361 Summary: Bump jenkins version to 2.289.1 https://bugzilla.redhat.com/show_bug.cgi?id=1972361
What |Removed |Added ---------------------------------------------------------------------------- Status|RELEASE_PENDING |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHINT Camel-K 1.6.4
Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1029
eclipse-sig@lists.stg.fedoraproject.org