Date: 05 December 2007
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0975 -- [Win][UNIX/Linux]
Multiple Vulnerabilities in Mortbay Jetty
5 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mortbay Jetty
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Cross-site Scripting
Inappropriate Access
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5615 CVE-2007-5614 CVE-2007-5613
Original Bulletin: http://www.kb.cert.org/vuls/id/212984
http://www.kb.cert.org/vuls/id/438616
http://www.kb.cert.org/vuls/id/237888
Comment: This bulletin contains three (3) US-CERT security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
US-CERT Vulnerability Note VU#212984
Mortbay Jetty vulnerable to HTTP response splitting
Overview
Mortbay Jetty is vulnerable to HTTP response splitting, which may
allow a remote, unauthenticated attacker to inject various HTTP
headers.
I. Description
Mortbay Jetty is a web server that is written in Java. Jetty fails
to properly handle HTTP headers with CRLF sequences, which can
allow an attacker to inject certain HTTP headers into server
responses.
II. Impact
A remote, unauthenticated attacker may be able to perform a
cross-site scripting attack, set cookies, or poison a proxy cache.
III. Solution
Apply an update
This issue is addressed in Mortbay Jetty 6.1.6 [2]. Details are
available in the release notes [1].
Systems Affected
Vendor Status Date Updated
Mort Bay Vulnerable 4-Dec-2007
References
[1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt
[2] http://dist.codehaus.org/jetty/jetty-6.1.6/
Credit
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
Date Public 03/11/2007
Date First Published 04/12/2007 13:21:11
Date Last Updated 03/12/2007
CERT Advisory
CVE Name CVE-2007-5615
Metric 4.41
Document Revision 3
US-CERT Vulnerability Note VU#438616
Mortbay Jetty fails to properly handle cookies with quotes
Overview
Mortbay Jetty fails to properly handle cookie quotes, which may
allow session hijacking.
I. Description
Mortbay Jetty is a web server that is written in Java. Jetty fails
to properly handle cookies with certain quote sequences. This can
cause the Jetty cookie parsing mechanism to improperly handle all
of the cookies in the cookie string that follow the cookie with
the quote sequence.
II. Impact
This vulnerability can increase the possibility of a session
hijacking success. In the presense of a cross-site scripting
vulnerability, it may allow a denial-of-service attack against a
web site by preventing a client from being able to log in using
cookies.
III. Solution
Apply an update
This issue is addressed in Mortbay Jetty 6.1.6 [2]. Details are
available in the release notes [1].
Systems Affected
Vendor Status Date Updated
Mort Bay Vulnerable 4-Dec-2007
References
[1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt
[2] http://dist.codehaus.org/jetty/jetty-6.1.6/
Credit
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
Date Public 05/11/2007
Date First Published 04/12/2007 13:05:14
Date Last Updated 03/12/2007
CERT Advisory
CVE Name CVE-2007-5614
Metric 2.78
Document Revision 4
US-CERT Vulnerability Note VU#237888
Mortbay Jetty Dump Servlet vulnerable to cross-site scripting
Overview
The Mortbay Jetty Dump Servlet contains a cross-site scripting
vulnerability.
I. Description
Mortbay Jetty is a web server that is written in Java. The Dump
Servlet that is included with Jetty is vulnerable to cross-site
scripting. Note that according to the vendor, the Dump Servlet is
for testing purposes and is not intended to be included in a live
web site.
II. Impact
A remote, unauthenticated attacker may be able to perform a
cross-site scripting attack against a Jetty web server. More
information about cross-site scripting can be found in CERT
Advisory CA-2000-02.
III. Solution
Apply an update
This issue is addressed in Mortbay Jetty 6.1.6 [3]. Details are
available in the release notes [1].
Remove the Dump Servlet
This issue can be mitigated by removing the Dump Servlet from the
web server.
Systems Affected
Vendor Status Date Updated
Mort Bay Vulnerable 4-Dec-2007
References
[1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt
[2] http://jira.codehaus.org/browse/JETTY-452
[3] http://dist.codehaus.org/jetty/jetty-6.1.6/
Credit
Thanks to Tomasz Kuczynski for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
Date Public 05/11/2007
Date First Published 04/12/2007 12:40:07
Date Last Updated 03/12/2007
CERT Advisory
CVE Name CVE-2007-5613
Metric 3.29
Document Revision 7
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR1YUvih9+71yA2DNAQJCdgP8C5agYbzKAZGYYVBet+zMR5dCafAwERWf
NM+mJW+dgqBrXRBTBhnnEsTzAHouv9iDye3L4evTErrRU2B9cdtwPBvkNk8uiNfG
8/5cx9F4jIom/hXWcvn5sQDFQ9nPjV4bgFyviWMa4lGJrOBjBRm38Z4rXr31Pkv6
RnaFd4bb6NA=
=xK2b
-----END PGP SIGNATURE-----
|