Bug 2239630 (CVE-2023-36479)

Summary: CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in CgiServlet
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alampare, alazarot, asoldano, ataylor, bbaranow, bbuckingham, bcourt, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, chfoley, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, dsimansk, ehelms, emingora, fjansen, fjuma, gjospin, gmalinko, ibek, ivassile, iweiss, janstey, jburrell, jrokos, jross, jscholz, jsherril, kaycoth, kverlaen, lbacciot, lball, lgao, lzap, matzew, mhulan, mnovotny, mosmerov, msochure, mstefank, msvehla, nmoumoul, nwallace, orabin, pcreech, pdelbell, pjindal, pmackay, rchan, rguimara, rhuss, rjohnson, rkieley, rogbas, rstancel, skontopo, smaestri, swoodman, tom.jenkinson, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jetty 12.0.0beta, jetty 9.4.52, jetty 10.0.16, jetty 11.0.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jetty's CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-01 19:07:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2239842, 2240279, 2257319    
Bug Blocks: 2239846    

Description Pedro Sampaio 2023-09-19 13:37:49 UTC 
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

References:

https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
https://github.com/eclipse/jetty.project/pull/9516
https://github.com/eclipse/jetty.project/pull/9889
https://github.com/eclipse/jetty.project/pull/9888
Comment 1 Pedro Sampaio 2023-09-20 13:49:17 UTC 
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 2239842]
Comment 11 errata-xmlrpc 2023-11-15 17:07:52 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247
Comment 12 errata-xmlrpc 2024-02-13 14:43:06 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:0797 https://access.redhat.com/errata/RHSA-2024:0797
Comment 15 errata-xmlrpc 2024-04-23 17:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
Comment 16 errata-xmlrpc 2024-05-23 22:45:35 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354
Comment 17 errata-xmlrpc 2024-06-13 11:38:25 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2024:3919 https://access.redhat.com/errata/RHSA-2024:3919
Comment 18 errata-xmlrpc 2024-06-20 00:35:39 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989