Critical Vulnerability Found in Jetty Web Server

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

The flaw (CVE-2015-2080) was discovered earlier this month by New York-based security services company Gotham Digital Science (GDS). The vulnerability, dubbed by researchers JetLeak, can be exploited by a remote, unauthenticated attacker to read arbitrary data from requests previously submitted by users to the server, GDS reported.

An attacker can obtain various pieces of sensitive data transmitted through headers and POST requests, including cookies, authentication tokens, anti-CSRF tokens, usernames, passwords, and authentication tokens, researchers said.

“The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server,” Stephen Komal, a security researcher at GDS, explained in a blog post.

“An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user’s request depending on the attacker’s payload offset,” Komal added.

The bug, described by the Jetty development team as a “HttpParser error buffer bleed vulnerability,” affects Jetty versions 9.2.3 through 9.2.8, and Jetty 9.3.0, which is currently in beta.

The vulnerability was reported to Eclipse on February 19. On February 23, developers determined that the bug was caused by a “bad implementation of a feature request for more details on HttpParser parsing errors.” The flaw was addressed on Tuesday with the release of Jetty 9.2.9.

“We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base,” Eclipse explained in its advisory.

The Jetty development team has also promised to fix the vulnerability in version 9.3.0. GDS noted that patched versions of the affected files will also be made available for Jetty 9.2.3 through 9.2.8.

It’s important to note that Jetty is bundled with several third-party products, including embedded systems. The list of solutions powered by Jetty includes Hadoop, Cisco’s Subscriber Edge Services Manager (SESM), IBM Tivoli NetView, VMware, Vodafone 360, HP OpenView Interconnect Tools, and WikiLeaks.

“Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available,” Komal said. “Additionally, we have encountered cases where development teams use Jetty as a lightweight replacement for app servers such as Tomcat. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.”

GDS has developed a script that allows users to determine if their Jetty HTTP servers are vulnerable to JetLeak attacks.