https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Bug ID: 1891132 Summary: CVE-2020-27216 jetty: local temporary directory hijacking vulnerability Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: abenaiss@redhat.com, aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, ataylor@redhat.com, bmontgom@redhat.com, chazlett@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcoleman@redhat.com, jjohnstn@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, mat.booth@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pbhattac@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, tcunning@redhat.com, tkirby@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-...
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891133
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1891133 [Bug 1891133] CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.4.33.v20201020, | |jetty 10.0.0.beta3, jetty | |11.0.0.beta3
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #3 from Chess Hazlett chazlett@redhat.com --- Mitigation:
Jetty users should create temp folders outside the normal /tmp structure, and ensure that their permissions are set so as not to be accessible by an attacker.
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891693, 1891694
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891695
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891703
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #7 from Mark Cooper mcooper@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-...
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #8 from Mark Cooper mcooper@redhat.com --- Upstream Fix: https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b1098...
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1894813, 1894814
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Developer Tools
Via RHSA-2020:5168 https://access.redhat.com/errata/RHSA-2020:5168
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5168
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-11-23 23:33:52
--- Comment #15 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-27216
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5365
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ LTS 7.4.6
Via RHSA-2021:0329 https://access.redhat.com/errata/RHSA-2021:0329
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #18 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952337
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952340
https://bugzilla.redhat.com/show_bug.cgi?id=1891132 Bug 1891132 depends on bug 1891133, which changed state.
Bug 1891133 Summary: CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1891133
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Adam Kaplan adam.kaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1972361
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1972361 [Bug 1972361] Bump jenkins version to 2.289.1
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1891132 Bug 1891132 depends on bug 1972361, which changed state.
Bug 1972361 Summary: Bump jenkins version to 2.289.1 https://bugzilla.redhat.com/show_bug.cgi?id=1972361
What |Removed |Added ---------------------------------------------------------------------------- Status|RELEASE_PENDING |CLOSED Resolution|--- |ERRATA
eclipse-sig@lists.stg.fedoraproject.org