Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Found in Jetty Web Server

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

The flaw (CVE-2015-2080) was discovered earlier this month by New York-based security services company Gotham Digital Science (GDS). The vulnerability, dubbed by researchers JetLeak, can be exploited by a remote, unauthenticated attacker to read arbitrary data from requests previously submitted by users to the server, GDS reported.

An attacker can obtain various pieces of sensitive data transmitted through headers and POST requests, including cookies, authentication tokens, anti-CSRF tokens, usernames, passwords, and authentication tokens, researchers said.

“The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server,” Stephen Komal, a security researcher at GDS, explained in a blog post.

“An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user’s request depending on the attacker’s payload offset,” Komal added.

The bug, described by the Jetty development team as a “HttpParser error buffer bleed vulnerability,” affects Jetty versions 9.2.3 through 9.2.8, and Jetty 9.3.0, which is currently in beta.

The vulnerability was reported to Eclipse on February 19. On February 23, developers determined that the bug was caused by a “bad implementation of a feature request for more details on HttpParser parsing errors.” The flaw was addressed on Tuesday with the release of Jetty 9.2.9.

“We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base,” Eclipse explained in its advisory.

Advertisement. Scroll to continue reading.

The Jetty development team has also promised to fix the vulnerability in version 9.3.0. GDS noted that patched versions of the affected files will also be made available for Jetty 9.2.3 through 9.2.8.

It’s important to note that Jetty is bundled with several third-party products, including embedded systems. The list of solutions powered by Jetty includes Hadoop, Cisco’s Subscriber Edge Services Manager (SESM), IBM Tivoli NetView, VMware, Vodafone 360, HP OpenView Interconnect Tools, and WikiLeaks.

“Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available,” Komal said. “Additionally, we have encountered cases where development teams use Jetty as a lightweight replacement for app servers such as Tomcat. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.”

GDS has developed a script that allows users to determine if their Jetty HTTP servers are vulnerable to JetLeak attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.