Bug 564984 (CVE-2019-17638) - CVE Request: Jetty Corrupt Response Buffer
Summary: CVE Request: Jetty Corrupt Response Buffer
Status: RESOLVED FIXED
Alias: CVE-2019-17638
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-07-06 13:05 EDT by Jesse McConnell CLA
Modified: 2022-03-14 02:29 EDT (History)
10 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse McConnell CLA 2020-07-06 13:05:56 EDT 
We are currently tracking an issue that affects a few released versions of Jetty where reportedly under heavy load a response buffer may become corrupted and handled incorrectly.

There is an underlying issue that has been identified and resolved here:

https://github.com/eclipse/jetty.project/issues/4936

The security implications are as of yet unconfirmed that I am aware of, but at first blush a CVE seems warrented.

We'll get a score and description together soon and post to this issue.
Comment 1 Christopher Walker CLA 2020-07-08 07:51:30 EDT 
We've been researching this further and agree a CVE is needed. Information usually required:

CVE Score Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C/CR:M/IR:M/AR:M/MAV:N/MAC:H/MC:L

Formal Description: In case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).

Associated CWEs:

CWE-672: Operation on a Resource after Expiration or Release
CWE-675: Duplicate Operations on Resource
Comment 2 Christopher Walker CLA 2020-07-08 07:54:47 EDT 
Additional note: This issue was resolved in Jetty 9.4.30.v20200611
Comment 3 Wayne Beaton CLA 2020-07-08 08:01:16 EDT 
Is the affected version range all versions of Eclipse Jetty before 9.4.30.v20200611?

FYI, there is help in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability-cve
Comment 4 Greg Wilkins CLA 2020-07-08 09:26:02 EDT 
Wayne,
it is only a recent problem that we added in 9.4.27
Comment 5 Christopher Walker CLA 2020-07-08 09:38:21 EDT 
9.4.27.v20200227 >=< 9.4.29.v20200521
Comment 6 Wayne Beaton CLA 2020-07-08 12:38:18 EDT 
I've pushed this to the central authority.

Pull request: https://github.com/CVEProject/cvelist/pull/4270
Comment 7 Eclipse Genie CLA 2020-08-10 06:53:31 EDT Comment hidden (obsolete)
Comment 8 Eclipse Genie CLA 2020-08-10 06:58:07 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/167469
Comment 9 Eclipse Genie CLA 2020-08-10 07:06:20 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/167470
Comment 10 Eclipse Genie CLA 2020-08-10 07:11:45 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.ua/+/167471
Comment 14 Eclipse Genie CLA 2020-08-10 08:05:44 EDT Comment hidden (obsolete)
Comment 15 Eclipse Genie CLA 2020-08-10 08:06:57 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.bundles/+/166840
Comment 17 Greg Wilkins CLA 2020-08-31 12:44:56 EDT 
After some community feedback, we believe we need to update the CVE for this as follows:


CVE Score Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P/RL:W/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:H/MI:X/MA:X

Formal Description: In case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which  could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).


Work Around: If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).
Comment 18 Wayne Beaton CLA 2020-09-01 13:08:29 EDT 
I've created an update PR.

https://github.com/CVEProject/cvelist/pull/4680