Eclipse Jetty up to 9.2.x/9.3.x/9.4.x HTTP 0.9 Request Cache Poisoning access control

Summaryinfo

A vulnerability was found in Eclipse Jetty up to 9.2.x/9.3.x/9.4.x. It has been classified as critical. The affected element is an unknown function of the component HTTP 0.9 Handler. The manipulation as part of Request leads to access control (Cache Poisoning). This vulnerability is listed as CVE-2017-7656. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Eclipse Jetty up to 9.2.x/9.3.x/9.4.x. This issue affects an unknown code block of the component HTTP 0.9 Handler. The manipulation as part of a Request leads to a access control vulnerability (Cache Poisoning). Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

The bug was discovered 06/25/2018. The weakness was presented 06/26/2018 (Website). The advisory is shared at bugs.eclipse.org. The identification of this vulnerability is CVE-2017-7656 since 04/11/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 111048 (Fedora 27 : jetty (2018-93a507fd0f)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 176461 (Debian Security Update for jetty9 (DSA 4278-1)).

Upgrading eliminates this vulnerability. A possible mitigation has been published 3 weeks after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at Tenable (111048) and SecurityTracker (ID 1041194†). See VDB-119806, VDB-119874, VDB-119875 and VDB-120018 for similar entries. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Eclipse

Name

• Jetty

Version

• 9.0
• 9.1
• 9.2
• 9.3
• 9.4

License

• free

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion