|Summary:||CVE-2009-1523 CVE-2009-1524: multiple vulnerabilities in jetty|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-08-26 21:39:05 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Vincent Danen 2009-05-08 16:10:38 UTC
Common Vulnerabilities and Exposures assigned the identifiers CVE-2009-1523 and CVE-2009-1524 to the following vulnerabilities: Name: CVE-2009-1523 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523 Assigned: 20090505 Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-1004 Reference: CONFIRM: http://www.kb.cert.org/vuls/id/CRDY-7RKQCY Reference: CERT-VN:VU#402580 Reference: URL: http://www.kb.cert.org/vuls/id/402580 Reference: BID:34800 Reference: URL: http://www.securityfocus.com/bid/34800 Reference: SECUNIA:34975 Reference: URL: http://secunia.com/advisories/34975 Directory traversal vulnerability in the HTTP server in Mort Bay Jetty before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote attackers to access arbitrary files via directory traversal sequences in the URI. Name: CVE-2009-1524 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1524 Assigned: 20090505 Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-980 Reference: BID:34800 Reference: URL: http://www.securityfocus.com/bid/34800 Reference: SECUNIA:34975 Reference: URL: http://secunia.com/advisories/34975 Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. Note: it is unclear whether or not this affects jetty 5.x, which is the version that is included in Fedora.
Comment 2 Vincent Danen 2009-05-08 16:15:29 UTC
Created attachment 343124 [details] upstream patch to fix CVE-2009-1523 in jetty 6.x Looking at the patch, I believe 5.x would be affected by this as well on a quick first glance. I need to look at it a bit closer, but with some quick grepping, it looks like: Response.java maps to servlet/ServletHttpResponse.java and possibly some duplicate code in servlet/Dispatcher.java. The URIUtil.java maps to util/URI.java (thus changing all URIUtil.* functions to URI.*).
Comment 3 Jan Lieskovsky 2009-05-13 11:58:16 UTC
For CVE-2009-1524: Upstream issue description is here: http://jira.codehaus.org/browse/JETTY-980 According to comment from: http://jira.codehaus.org/browse/JETTY-980?focusedCommentId=174717&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_174717 patch from: http://jira.codehaus.org/secure/attachment/41486/JETTY-980.patch is not needed and patch for: http://jira.codehaus.org/browse/JETTY-1004 sufficient to fix this issue (otherwise relevant file affected by this issue in jetty-5.1.14 is jetty-5.1.14/src/org/mortbay/util/Resource.java). Provided PoC from http://jira.codehaus.org/browse/JETTY-980 (part "Description" can be used for verification). -- For CVE-2009-1523, the patch and file, which needs to be patched are mentioned in previous comment.
Comment 4 Jeff Johnston 2009-05-13 20:15:05 UTC
Created attachment 343870 [details] Proposed patch for jetty 5.1.14.
Comment 5 Jeff Johnston 2009-05-13 20:51:59 UTC
Created attachment 343874 [details] Proposed patch for jetty 5.1.14. Fixed patch.
Comment 6 Vincent Danen 2009-05-19 20:38:41 UTC
Jetty 5.1.15 has been released to correct the directory traversal issue (possibly the XSS issue, I'm awaiting confirmation on that since I can't seem to find a relevant CVS repository for Jetty 5.x): http://dist.codehaus.org/jetty/jetty-5.1.x/
Comment 9 Vincent Danen 2009-05-22 19:26:40 UTC
CVE-2009-1523 was fixed in the upstream 5.1.15 release. CVE-2009-1524 has not been confirmed in Jetty 5.x by upstream; if it does affect Jetty 5.x it is not fixed. Upstream's mitigation solution for CVE-2009-1524 is to disable directory listings by setting dirAllowed to false in the webdefault.xml file, which we should do in Fedora since this should be only permitted by administrators as they need it, and not as a default anyways.
Comment 10 Fedora Update System 2009-05-22 19:27:09 UTC
jetty-5.1.15-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc9
Comment 11 Fedora Update System 2009-05-22 19:28:56 UTC
jetty-5.1.15-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc10
Comment 12 Fedora Update System 2009-05-22 19:58:56 UTC
jetty-5.1.15-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/jetty-5.1.15-4.fc11
Comment 13 Fedora Update System 2009-05-26 07:55:42 UTC
jetty-5.1.15-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-05-26 07:56:12 UTC
jetty-5.1.15-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-05-26 07:56:55 UTC
jetty-5.1.15-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.