Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] CVE-2015-2080 : JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty

A Security Vulnerability in Jetty 9.2.3.v20140905 through 9.2.8.v20150217 (including 9.3.0.M0 and 9.3.0.M1 currently in beta/milestones) was recently discovered by Gotham Digital Science and Stephen Komal.


Note: Jetty 9.2.9.v20150224 release has fix.  A new release of Jetty 9.3.0 (currently in unstable beta/milestones) is being worked on.


The details of the vulnerability can be found both at blogs.gdssecurity.com and at github.com/eclipse/jetty.project.


We would like to thank Gotham Digital Science and Stephen Komal on their timely notice and excellent detailed analysis on this issue. Based on their feedback we were able to quickly resolve the problem and determine the necessary steps to take to remediate the issue.  


We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base.  We independently made the decision to publish the details of this vulnerability well ahead of the normal CVE disclosure process.


Timeline:

  • Feb 23, 2015 - The general Jetty Project committer base was made aware of vulnerability

  • Feb 23, 2015 - Validation of the vulnerability, and its root cause were quickly determined to be a bad implementation of a feature request for more details on HttpParser parsing errors.

  • Feb 24, 2015 - A patch was finalized, tested, and a new release of Jetty 9.2.9 was published with this fix in place.


For the commercial support of Jetty please consider working with Webtide which is the company that fully funds the ongoing development of the Jetty project through services and support.  


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Expert advice, services and support from from the Jetty & CometD experts

Back to the top