Bug 2239634 (CVE-2023-40167)

Summary: CVE-2023-40167 jetty: Improper validation of HTTP/1 content-length
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alampare, alazarot, asatyam, ataylor, bbuckingham, bcourt, boliveir, caswilli, chazlett, chfoley, dfreiber, dhanak, diagrawa, drichtar, dsimansk, ehelms, emingora, fjansen, fmariani, fmongiar, gjospin, gmalinko, ibek, janstey, jburrell, jnethert, jpoth, jrokos, jross, jscholz, jsherril, kaycoth, kverlaen, lbacciot, lball, lzap, matzew, mhulan, mnovotny, nmoumoul, orabin, owatkins, pcreech, pdelbell, pdrozd, peholase, pjindal, pskopek, rchan, rguimara, rhuss, rjohnson, rkieley, rogbas, rowaters, sdawley, sthorger, swoodman, tcunning, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jetty 9.4.52, jetty 10.0.16, jetty 11.0.6, jetty 12.0.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2240264, 2247377, 2257318    
Bug Blocks: 2239846    

Description Pedro Sampaio 2023-09-19 13:49:17 UTC 
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

References:

https://www.rfc-editor.org/rfc/rfc9110#section-8.6
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
Comment 1 Pedro Sampaio 2023-09-20 13:51:05 UTC 
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

References:

https://www.rfc-editor.org/rfc/rfc9110#section-8.6
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
Comment 12 errata-xmlrpc 2023-10-04 11:59:37 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.0

Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441
Comment 13 errata-xmlrpc 2023-10-17 11:42:56 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:5780 https://access.redhat.com/errata/RHSA-2023:5780
Comment 14 errata-xmlrpc 2023-10-19 19:09:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946
Comment 16 errata-xmlrpc 2023-11-15 17:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12.1

Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247
Comment 17 errata-xmlrpc 2023-12-06 23:30:52 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
Comment 18 errata-xmlrpc 2023-12-07 13:42:14 UTC 
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697
Comment 19 errata-xmlrpc 2024-02-12 10:37:23 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
Comment 20 errata-xmlrpc 2024-02-13 14:43:09 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:0797 https://access.redhat.com/errata/RHSA-2024:0797
Comment 23 errata-xmlrpc 2024-04-23 17:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010
Comment 27 errata-xmlrpc 2024-05-23 22:45:36 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354