Bug 499867 (CVE-2009-1523, CVE-2009-1524)

Summary: CVE-2009-1523 CVE-2009-1524: multiple vulnerabilities in jetty
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jjohnstn, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1523
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-26 21:39:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
upstream patch to fix CVE-2009-1523 in jetty 6.x
none
Proposed patch for jetty 5.1.14.
none
Proposed patch for jetty 5.1.14. none

Description Vincent Danen 2009-05-08 16:10:38 UTC 
Common Vulnerabilities and Exposures assigned the identifiers CVE-2009-1523
and CVE-2009-1524 to the following vulnerabilities:

Name: CVE-2009-1523
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523
Assigned: 20090505
Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-1004
Reference: CONFIRM: http://www.kb.cert.org/vuls/id/CRDY-7RKQCY
Reference: CERT-VN:VU#402580
Reference: URL: http://www.kb.cert.org/vuls/id/402580
Reference: BID:34800
Reference: URL: http://www.securityfocus.com/bid/34800
Reference: SECUNIA:34975
Reference: URL: http://secunia.com/advisories/34975

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty
before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote
attackers to access arbitrary files via directory traversal sequences
in the URI.

Name: CVE-2009-1524
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1524
Assigned: 20090505
Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-980
Reference: BID:34800
Reference: URL: http://www.securityfocus.com/bid/34800
Reference: SECUNIA:34975
Reference: URL: http://secunia.com/advisories/34975

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before
6.1.17 allows remote attackers to inject arbitrary web script or HTML
via a directory listing request containing a ; (semicolon) character.


Note: it is unclear whether or not this affects jetty 5.x, which is the version that is included in Fedora.
Comment 2 Vincent Danen 2009-05-08 16:15:29 UTC 
Created attachment 343124 [details]
upstream patch to fix CVE-2009-1523 in jetty 6.x

Looking at the patch, I believe 5.x would be affected by this as well on a quick first glance.  I need to look at it a bit closer, but with some quick grepping, it looks like:

Response.java maps to servlet/ServletHttpResponse.java and possibly some duplicate code in servlet/Dispatcher.java.  The URIUtil.java maps to util/URI.java (thus changing all URIUtil.* functions to URI.*).
Comment 3 Jan Lieskovsky 2009-05-13 11:58:16 UTC 
For CVE-2009-1524:

Upstream issue description is here:
http://jira.codehaus.org/browse/JETTY-980

According to comment from:
http://jira.codehaus.org/browse/JETTY-980?focusedCommentId=174717&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_174717

patch from:
http://jira.codehaus.org/secure/attachment/41486/JETTY-980.patch

is not needed and patch for:
http://jira.codehaus.org/browse/JETTY-1004

sufficient to fix this issue (otherwise relevant file affected by this
issue in jetty-5.1.14 is jetty-5.1.14/src/org/mortbay/util/Resource.java).

Provided PoC from http://jira.codehaus.org/browse/JETTY-980 (part "Description"
can be used for verification).

--

For CVE-2009-1523, the patch and file, which needs to be patched are
mentioned in previous comment.
Comment 4 Jeff Johnston 2009-05-13 20:15:05 UTC 
Created attachment 343870 [details]
Proposed patch for jetty 5.1.14.
Comment 5 Jeff Johnston 2009-05-13 20:51:59 UTC 
Created attachment 343874 [details]
Proposed patch for jetty 5.1.14.

Fixed patch.
Comment 6 Vincent Danen 2009-05-19 20:38:41 UTC 
Jetty 5.1.15 has been released to correct the directory traversal issue (possibly the XSS issue, I'm awaiting confirmation on that since I can't seem to find a relevant CVS repository for Jetty 5.x):

http://dist.codehaus.org/jetty/jetty-5.1.x/
Comment 9 Vincent Danen 2009-05-22 19:26:40 UTC 
CVE-2009-1523 was fixed in the upstream 5.1.15 release.  CVE-2009-1524 has not been confirmed in Jetty 5.x by upstream; if it does affect Jetty 5.x it is not fixed.

Upstream's mitigation solution for CVE-2009-1524 is to disable directory listings by setting dirAllowed to false in the webdefault.xml file, which we should do in Fedora since this should be only permitted by administrators as they need it, and not as a default anyways.
Comment 10 Fedora Update System 2009-05-22 19:27:09 UTC 
jetty-5.1.15-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc9
Comment 11 Fedora Update System 2009-05-22 19:28:56 UTC 
jetty-5.1.15-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc10
Comment 12 Fedora Update System 2009-05-22 19:58:56 UTC 
jetty-5.1.15-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/jetty-5.1.15-4.fc11
Comment 13 Fedora Update System 2009-05-26 07:55:42 UTC 
jetty-5.1.15-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-05-26 07:56:12 UTC 
jetty-5.1.15-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-05-26 07:56:55 UTC 
jetty-5.1.15-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.