Bug 532693 (CVE-2009-4609, CVE-2009-4610, CVE-2009-4612)

Summary: CVE-2009-4609 CVE-2009-4610 CVE-2009-4612 jetty: multiple XSS and information leaks in demo servlets
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jjohnstn, jrusnack, overholt, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-22 07:50:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 532733    
Bug Blocks:    

Description Tomas Hoger 2009-11-03 14:58:53 UTC 
ush.it reported multiple flaws affecting jetty 6.x and 7.x:

  http://www.ush.it/2009/10/25/jetty-6x-and-7x-multiple-vulnerabilities/

Following information leaks problems are reported for demo applications:

 A) "Dump Servlet" information leak
    (Affected versions: Any)

 B) "FORM Authentication demo" information leak
    (Affected versions: Any)

and XSS issues:

 C) "JSP Dump" reflected XSS
    (Affected versions: Any)

 D) "Session Dump Servlet" stored XSS
    (Affected versions: Any)

 G) "Cookie Dump Servlet" stored XSS
    (Affected versions: =<6.1.20)

 H) WebApp JSP Snoop page XSS
    (Affected versions: =<6.1.21)
Comment 1 Tomas Hoger 2009-11-03 14:59:48 UTC 
Local copy of the advisory:
  https://bugzilla.redhat.com/show_bug.cgi?id=532675#c1
Comment 2 Tomas Hoger 2009-11-03 15:01:13 UTC 
As noted in the advisory, 'G) "Cookie Dump Servlet" stored XSS' was previously made public via Core Security advisory - see CVE-2009-3579 / bug #532656.
Comment 3 Tomas Hoger 2009-11-03 16:58:44 UTC 
I'm not sure why A) and B) are considered information leaks.

Dump Servlet mostly contains information relevant to the current connection that is already known to the client.  For the rest, it's purpose of that demo to dump that info, so it's not really a flaw in jetty, rather in production deployment where that demo is not disabled.

For the FORM Authentication demo, the only leak mentioned is an information that jetty is running on the host.  Server (including version) identification in HTTP reply header is as good, if not better, source of such info.

I'm not sure if upstream is going to do anything about those.
Comment 4 Tomas Hoger 2009-11-03 16:59:36 UTC 
I don't see any fix for the other XSS issues committed in upstream SVN so far, but the fixes should appear in 6.1.22.
Comment 17 Tomas Hoger 2010-01-22 07:50:02 UTC 
Example applications are no longer included in jetty 6.x packages.