You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "WCM RnD (Jira)" <ji...@apache.org> on 2021/04/14 11:05:00 UTC
[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty
library CVE-2021-28163 (+5) bundled within Solr
[ https://issues.apache.org/jira/browse/SOLR-15338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
WCM RnD updated SOLR-15338:
---------------------------
Description:
High security vulnerability ahs been reported in the Jetty jar bundled within Solr:
h2. BDSA-2021-0848
*Vulnerability Details in BlackDuck:* see [BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:29 EDT
*Vulnerability Updated:* 2021-04-02 06:29 EDT
*CVSS Score:* 6.7 (overall), {color:#ff0000}7.5{color} (base)
*Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid TLS frames. An attacker could exploit this by sending a TLS frame with a size in excess of 17408 resulting in excessive resource consumption leading to a DoS condition.
*Solution*: Fixed in [*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2] and [*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2] by [this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9] and [this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16] commit. Fixed in [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325] by [this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880] and [this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add] commit.
h2. BDSA-2021-0849
*Vulnerability Details in BlackDuck:* see [BDSA-2021-0849|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0849]
*Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:55 EDT
*Vulnerability Updated:* 2021-04-02 06:55 EDT
*CVSS Score:* 4.6 (overall), 5.3 (base)
*Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via default compliance mode. An attacker could exploit this by using a URL containing {{%2e}} or {{%2e%2e}} segments. These were improperly allowed to access protected resources in the {{WEB-INF}} directory.
*Solution*: Fixed in [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325] by [this|https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83] commit.
h2. BDSA-2021-0850
*Vulnerability Details in BlackDuck:* see [BDSA-2021-0850|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0850]
*Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 09:09 EDT
*Vulnerability Updated:* 2021-04-02 09:09 EDT
*CVSS Score:* 2.4 (overall), 2.7 (base)
*Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via symlink directory. A high privileged attacker could exploit this in order to view the contents of a symlink webapp directory.
h2. CVE-2021-28163
*Vulnerability Details in BlackDuck:* see [CVE-2021-28163|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28163]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
*Summary*: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
h2. CVE-2021-28164
*Vulnerability Details in BlackDuck:* see [CVE-2021-28164|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28164]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
*Summary*: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
h2. CVE-2021-28165
*Vulnerability Details in BlackDuck:* see [CVE-2021-28165|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28165]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
*Summary*: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
was:
High security vulnerability ahs been reported in the Jetty jar bundled within Solr:
h2. BDSA-2021-0848
*Vulnerability Details in BlackDuck:* see [BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:29 EDT
*Vulnerability Updated:* 2021-04-02 06:29 EDT
*CVSS Score:* 6.7 (overall), {color:#FF0000}7.5{color} (base)
*Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid TLS frames. An attacker could exploit this by sending a TLS frame with a size in excess of 17408 resulting in excessive resource consumption leading to a DoS condition.
*Solution*: Fixed in [*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2] and [*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2] by [this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9] and [this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16] commit. Fixed in [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325] by [this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880] and [this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add] commit.
> High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr
> ------------------------------------------------------------------------------------
>
> Key: SOLR-15338
> URL: https://issues.apache.org/jira/browse/SOLR-15338
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.8.1
> Reporter: WCM RnD
> Priority: Critical
>
> High security vulnerability ahs been reported in the Jetty jar bundled within Solr:
>
>
>
> h2. BDSA-2021-0848
> *Vulnerability Details in BlackDuck:* see [BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
> *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
> *Vulnerability Published:* 2021-04-02 06:29 EDT
> *Vulnerability Updated:* 2021-04-02 06:29 EDT
> *CVSS Score:* 6.7 (overall), {color:#ff0000}7.5{color} (base)
> *Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid TLS frames. An attacker could exploit this by sending a TLS frame with a size in excess of 17408 resulting in excessive resource consumption leading to a DoS condition.
> *Solution*: Fixed in [*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2] and [*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2] by [this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9] and [this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16] commit. Fixed in [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325] by [this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880] and [this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add] commit.
>
> h2. BDSA-2021-0849
> *Vulnerability Details in BlackDuck:* see [BDSA-2021-0849|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0849]
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
> *Vulnerability Published:* 2021-04-02 06:55 EDT
> *Vulnerability Updated:* 2021-04-02 06:55 EDT
> *CVSS Score:* 4.6 (overall), 5.3 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via default compliance mode. An attacker could exploit this by using a URL containing {{%2e}} or {{%2e%2e}} segments. These were improperly allowed to access protected resources in the {{WEB-INF}} directory.
> *Solution*: Fixed in [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325] by [this|https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83] commit.
>
> h2. BDSA-2021-0850
> *Vulnerability Details in BlackDuck:* see [BDSA-2021-0850|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0850]
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
> *Vulnerability Published:* 2021-04-02 09:09 EDT
> *Vulnerability Updated:* 2021-04-02 09:09 EDT
> *CVSS Score:* 2.4 (overall), 2.7 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via symlink directory. A high privileged attacker could exploit this in order to view the contents of a symlink webapp directory.
> h2. CVE-2021-28163
> *Vulnerability Details in BlackDuck:* see [CVE-2021-28163|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28163]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
>
> h2. CVE-2021-28164
> *Vulnerability Details in BlackDuck:* see [CVE-2021-28164|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28164]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
>
> h2. CVE-2021-28165
> *Vulnerability Details in BlackDuck:* see [CVE-2021-28165|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28165]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org