[
https://issues.apache.org/jira/browse/SOLR-15338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
WCM RnD updated SOLR-15338:
---------------------------
Description:
High security vulnerability ahs been reported in the Jetty jar bundled within
Solr:
h2. BDSA-2021-0848
*Vulnerability Details in BlackDuck:* see
[BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:29 EDT
*Vulnerability Updated:* 2021-04-02 06:29 EDT
*CVSS Score:* 6.7 (overall), {color:#ff0000}7.5{color} (base)
*Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid
TLS frames. An attacker could exploit this by sending a TLS frame with a size
in excess of 17408 resulting in excessive resource consumption leading to a DoS
condition.
*Solution*: Fixed in
[*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2]
and
[*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2]
by
[this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9]
and
[this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16]
commit. Fixed in
[*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
by
[this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880]
and
[this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add]
commit.
h2. BDSA-2021-0849
*Vulnerability Details in BlackDuck:* see
[BDSA-2021-0849|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0849]
*Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket
Server
*Vulnerability Published:* 2021-04-02 06:55 EDT
*Vulnerability Updated:* 2021-04-02 06:55 EDT
*CVSS Score:* 4.6 (overall), 5.3 (base)
*Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via default
compliance mode. An attacker could exploit this by using a URL containing
{{%2e}} or {{%2e%2e}} segments. These were improperly allowed to access
protected resources in the {{WEB-INF}} directory.
*Solution*: Fixed in
[*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
by
[this|https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83]
commit.
h2. BDSA-2021-0850
*Vulnerability Details in BlackDuck:* see
[BDSA-2021-0850|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0850]
*Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket
Server
*Vulnerability Published:* 2021-04-02 09:09 EDT
*Vulnerability Updated:* 2021-04-02 09:09 EDT
*CVSS Score:* 2.4 (overall), 2.7 (base)
*Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via symlink
directory. A high privileged attacker could exploit this in order to view the
contents of a symlink webapp directory.
h2. CVE-2021-28163
*Vulnerability Details in BlackDuck:* see
[CVE-2021-28163|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28163]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue
comments)
*Summary*: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink,
the contents of the webapps directory is deployed as a static webapp,
inadvertently serving the webapps themselves and anything else that might be in
that directory.
h2. CVE-2021-28164
*Vulnerability Details in BlackDuck:* see
[CVE-2021-28164|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28164]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue
comments)
*Summary*: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e segments
to access protected resources within the WEB-INF directory. For example a
request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can
reveal sensitive information regarding the implementation of a web application.
h2. CVE-2021-28165
*Vulnerability Details in BlackDuck:* see
[CVE-2021-28165|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28165]
*Vulnerability Published:* 2021-04-01 11:15 EDT
*Vulnerability Updated:* 2021-04-01 11:30 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue
comments)
*Summary*: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large
invalid TLS frame.
was:
High security vulnerability ahs been reported in the Jetty jar bundled within
Solr:
h2. BDSA-2021-0848
*Vulnerability Details in BlackDuck:* see
[BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:29 EDT
*Vulnerability Updated:* 2021-04-02 06:29 EDT
*CVSS Score:* 6.7 (overall), {color:#FF0000}7.5{color} (base)
*Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid
TLS frames. An attacker could exploit this by sending a TLS frame with a size
in excess of 17408 resulting in excessive resource consumption leading to a DoS
condition.
*Solution*: Fixed in
[*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2]
and
[*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2]
by
[this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9]
and
[this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16]
commit. Fixed in
[*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
by
[this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880]
and
[this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add]
commit.
> High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled
> within Solr
> ------------------------------------------------------------------------------------
>
> Key: SOLR-15338
> URL: https://issues.apache.org/jira/browse/SOLR-15338
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.8.1
> Reporter: WCM RnD
> Priority: Critical
>
> High security vulnerability ahs been reported in the Jetty jar bundled within
> Solr:
>
>
>
> h2. BDSA-2021-0848
> *Vulnerability Details in BlackDuck:* see
> [BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
> *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket
> Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
> *Vulnerability Published:* 2021-04-02 06:29 EDT
> *Vulnerability Updated:* 2021-04-02 06:29 EDT
> *CVSS Score:* 6.7 (overall), {color:#ff0000}7.5{color} (base)
> *Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid
> TLS frames. An attacker could exploit this by sending a TLS frame with a size
> in excess of 17408 resulting in excessive resource consumption leading to a
> DoS condition.
> *Solution*: Fixed in
> [*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2]
> and
> [*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2]
> by
> [this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9]
> and
> [this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16]
> commit. Fixed in
> [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
> by
> [this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880]
> and
> [this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add]
> commit.
>
> h2. BDSA-2021-0849
> *Vulnerability Details in BlackDuck:* see
> [BDSA-2021-0849|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0849]
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet,
> WebSocket Server
> *Vulnerability Published:* 2021-04-02 06:55 EDT
> *Vulnerability Updated:* 2021-04-02 06:55 EDT
> *CVSS Score:* 4.6 (overall), 5.3 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via default
> compliance mode. An attacker could exploit this by using a URL containing
> {{%2e}} or {{%2e%2e}} segments. These were improperly allowed to access
> protected resources in the {{WEB-INF}} directory.
> *Solution*: Fixed in
> [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
> by
> [this|https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83]
> commit.
>
> h2. BDSA-2021-0850
> *Vulnerability Details in BlackDuck:* see
> [BDSA-2021-0850|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0850]
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet,
> WebSocket Server
> *Vulnerability Published:* 2021-04-02 09:09 EDT
> *Vulnerability Updated:* 2021-04-02 09:09 EDT
> *CVSS Score:* 2.4 (overall), 2.7 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via symlink
> directory. A high privileged attacker could exploit this in order to view the
> contents of a symlink webapp directory.
> h2. CVE-2021-28163
> *Vulnerability Details in BlackDuck:* see
> [CVE-2021-28163|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28163]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in
> issue comments)
> *Summary*: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink,
> the contents of the webapps directory is deployed as a static webapp,
> inadvertently serving the webapps themselves and anything else that might be
> in that directory.
>
> h2. CVE-2021-28164
> *Vulnerability Details in BlackDuck:* see
> [CVE-2021-28164|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28164]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in
> issue comments)
> *Summary*: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e segments
> to access protected resources within the WEB-INF directory. For example a
> request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This
> can reveal sensitive information regarding the implementation of a web
> application.
>
> h2. CVE-2021-28165
> *Vulnerability Details in BlackDuck:* see
> [CVE-2021-28165|https://blackduck.opentext.net/api/vulnerabilities/CVE-2021-28165]
> *Vulnerability Published:* 2021-04-01 11:15 EDT
> *Vulnerability Updated:* 2021-04-01 11:30 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in
> issue comments)
> *Summary*: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large
> invalid TLS frame.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
