Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800

Is 9.3.9 in a p2 update site yet? Or will it be soon? The highest I see in .../jetty/updates/jetty-bundles-9.x is "9.3.6".

If we are to (try) and consume Jetty 9.3.9 in our Eclipse Neon Platform Help System then we need a p2 site soon (our final build was scheduled to be tomorrow!)

Thanks,




From:        Greg Wilkins <gregw@xxxxxxxxxxx>
To:        JETTY user mailing list <jetty-users@xxxxxxxxxxx>, "Jetty @ Eclipse developer discussion list" <jetty-dev@xxxxxxxxxxx>, jetty-announce@xxxxxxxxxxx,
Date:        05/30/2016 06:27 PM
Subject:        [jetty-dev] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800
Sent by:        jetty-dev-bounces@xxxxxxxxxxx




Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform.
The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed.     Only resources within the webapp are vulnerable.

The issue was fixed in release jetty-9.3.9, which is available via eclipse download or in the maven central repository.  A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character.

http://www.ocert.org/advisories/ocert-2016-001.html

This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names.   Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability.  Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is  good security practise is to install a deny constraint on all URIs and then selectively allow specific URIs.

The CVE is not yet visible in the 
NVD database.

The Jetty team would like to acknowledge the assistance of ocertin finding and handling this issue.

--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


Back to the top