[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

[Mayya Sharipova (Jira)]

     [ 
https://issues.apache.org/jira/browse/SOLR-15338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mayya Sharipova updated SOLR-15338:
-----------------------------------
    Security:     (was: Public)

> High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled 
> within Solr
> ------------------------------------------------------------------------------------
>
>                 Key: SOLR-15338
>                 URL: https://issues.apache.org/jira/browse/SOLR-15338
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 8.8.1
>            Reporter: WCM RnD
>            Priority: Critical
>
> High security vulnerability ahs been reported in the Jetty jar bundled within 
> Solr:
>  
>  
>  
> h2. BDSA-2021-0848
> *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
> Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
>  *Vulnerability Published:* 2021-04-02 06:29 EDT
>  *Vulnerability Updated:* 2021-04-02 06:29 EDT
>  *CVSS Score:* 6.7 (overall), {color:#ff0000}7.5{color} (base)
> *Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid 
> TLS frames. An attacker could exploit this by sending a TLS frame with a size 
> in excess of 17408 resulting in excessive resource consumption leading to a 
> DoS condition.
> *Solution*: Fixed in 
> [*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2] 
> and 
> [*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2] 
> by 
> [this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9]
>  and 
> [this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16]
>  commit. Fixed in 
> [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
>  by 
> [this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880]
>  and 
> [this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add]
>  commit.
>  
> h2. BDSA-2021-0849
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, 
> WebSocket Server
>  *Vulnerability Published:* 2021-04-02 06:55 EDT
>  *Vulnerability Updated:* 2021-04-02 06:55 EDT
>  *CVSS Score:* 4.6 (overall), 5.3 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via default 
> compliance mode. An attacker could exploit this by using a URL containing 
> {{%2e}} or {{%2e%2e}} segments. These were improperly allowed to access 
> protected resources in the {{WEB-INF}} directory.
> *Solution*: Fixed in 
> [*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
>  by 
> [this|https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83]
>  commit.
>  
> h2. BDSA-2021-0850
> *Affected Component(s):* Jetty: Java based HTTP/1.x, HTTP/2, Servlet, 
> WebSocket Server
>  *Vulnerability Published:* 2021-04-02 09:09 EDT
>  *Vulnerability Updated:* 2021-04-02 09:09 EDT
>  *CVSS Score:* 2.4 (overall), 2.7 (base)
> *Summary*: Eclipse Jetty is vulnerable to sensitive data exposure via symlink 
> directory. A high privileged attacker could exploit this in order to view the 
> contents of a symlink webapp directory.
> h2. CVE-2021-28163
> *Vulnerability Published:* 2021-04-01 11:15 EDT
>  *Vulnerability Updated:* 2021-04-01 11:30 EDT
>  *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, 
> the contents of the webapps directory is deployed as a static webapp, 
> inadvertently serving the webapps themselves and anything else that might be 
> in that directory.
>  
> h2. CVE-2021-28164
> *Vulnerability Published:* 2021-04-01 11:15 EDT
>  *Vulnerability Updated:* 2021-04-01 11:30 EDT
>  *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default 
> compliance mode allows requests with URIs that contain %2e or %2e%2e segments 
> to access protected resources within the WEB-INF directory. For example a 
> request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This 
> can reveal sensitive information regarding the implementation of a web 
> application.
>  
> h2. CVE-2021-28165
> *Vulnerability Published:* 2021-04-01 11:15 EDT
>  *Vulnerability Updated:* 2021-04-01 11:30 EDT
>  *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large 
> invalid TLS frame.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org