Bug 1891132 (CVE-2020-27216)

Summary: CVE-2020-27216 jetty: local temporary directory hijacking vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, bmontgom, btofel, chazlett, drieden, eclipse-sig, eparis, etirelli, ganandan, ggaughan, gmalinko, gvarsami, ibek, janstey, java-maint, java-sig-commits, jburrell, jcoleman, jjohnstn, jochrist, jokerman, jstastny, jwon, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, mat.booth, mizdebsk, mnovotny, nstielau, nwallace, pbhattac, pdrozd, pjindal, rrajasek, rsynek, rwagner, sdaley, sd-operator-metering, sochotni, sponnaga, sthorger, tcunning, tkirby, vbobade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jetty 9.4.33.v20201020, jetty 10.0.0.beta3, jetty 11.0.0.beta3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-23 23:33:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1891133, 1891693, 1891694, 1891695, 1891703, 1894813, 1894814, 1952337, 1952340, 1972361    
Bug Blocks: 1891134    

Description Guilherme de Almeida Suckevicz 2020-10-23 20:49:23 UTC 
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
Comment 1 Guilherme de Almeida Suckevicz 2020-10-23 20:49:45 UTC 
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 1891133]
Comment 3 Chess Hazlett 2020-10-26 21:08:07 UTC 
Mitigation:

Jetty users should create temp folders outside the normal /tmp structure, and ensure that their permissions are set so as not to be accessible by an attacker.
Comment 7 Mark Cooper 2020-10-27 06:19:39 UTC 
External References:

https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
Comment 8 Mark Cooper 2020-10-27 06:25:06 UTC 
Upstream Fix: https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb
Comment 14 errata-xmlrpc 2020-11-23 09:05:05 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:5168 https://access.redhat.com/errata/RHSA-2020:5168
Comment 15 Product Security DevOps Team 2020-11-23 23:33:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27216
Comment 16 errata-xmlrpc 2020-12-08 08:55:51 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365
Comment 17 errata-xmlrpc 2021-02-02 07:37:16 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ LTS 7.4.6

Via RHSA-2021:0329 https://access.redhat.com/errata/RHSA-2021:0329
Comment 18 Przemyslaw Roguski 2021-03-29 13:11:48 UTC 
Statement:

In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty.
Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Comment 20 errata-xmlrpc 2021-06-29 06:16:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499
Comment 21 errata-xmlrpc 2021-06-30 15:45:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
Comment 22 errata-xmlrpc 2021-07-02 00:18:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431
Comment 23 errata-xmlrpc 2021-08-11 18:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140