[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty We
From:       rgutierrez () gdssecurity ! com
Date:       2015-02-25 16:21:29
Message-ID: 201502251621.t1PGLTm2019618 () sf01web2 ! securityfocus ! com
[Download RAW message or body]

GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server

SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage vulnerability in the \
Jetty web server that allows an unauthenticated remote attacker to read arbitrary \
data from previous requests and responses submitted to the server by other users.

The vulnerability was made public by the Jetty development team on the 24th of \
February 2015 and included proof-of-concept exploit code. As a result, GDS Labs \
recommends upgrading Jetty web server to a version patched against this vulnerability \
as soon as possible.


IMPACT
======
Using a vulnerable version of the Jetty web server can lead to the compromise of \
sensitive data including data passed within headers (e.g. cookies, authentication \
tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, \
authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by \
the web server.

The root cause of this vulnerability can be traced to exception handling code that \
returns approximately 16 bytes of data from a shared buffer when illegal characters \
are submitted in header values to the server. An attacker can exploit this behavior \
by submitting carefully crafted requests containing variable length strings of \
illegal characters to trigger the exception and offset into the shared buffer. Since \
the shared buffer contains user submitted data from previous requests, the Jetty \
server will return specific data chunks from a previous exchange depending on the \
attacker’s payload offset.


ARE YOU VULNERABLE?
===================
This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases \
(including the beta releases of 9.3.x) are vulnerable.

GDS have created a simple python script that can be used to determine if a Jetty HTTP \
server is vulnerable. The script code can be downloaded from the GDS Github \
repository below:

    - https://github.com/GDSSecurity/Jetleak-Testing-Script

If running one of the vulnerable Jetty web server versions, Jetty recommends that you \
upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware \
that Jetty might be bundled within third party products. GDS recommends referring to \
the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive \
list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP \
server, it is also commonly used by a variety of embedded systems. Organizations \
should contact any vendors that may be running a Jetty web server in order to \
determine if their products are vulnerable and when any patches to resolve this \
vulnerability will be made available.

We have encountered cases where development teams use Jetty as a light-weight \
replacement for app servers such as Tomcat for internal testing. Organizations should \
consider notifying their development teams about the vulnerability and require teams \
to upgrade any vulnerable versions of Jetty.

The latest release of the Jetty HTTP server is available for download at the \
following locations:

    - Maven - http://central.maven.org/
    - Jetty Downloads - http://download.eclipse.org/jetty


REFERENCES
==========
A thorough technical analysis of the vulnerability is available on the GDS blog at:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html


Jetty Vulnerability Announcement:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

Jetty Vulnerability Advisory:

https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md



DISCLOSURE TIMELINE
===================
Feb 19, 2015 - Vulnerability report sent to security@eclipse.org using SendSafely

Feb 23, 2015 - Jetty team downloads the vulnerability report

Feb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and \
publicly discloses vulnerability with exploit code

Feb 25, 2015 - GDS publicly discloses vulnerability


GDS commends the Jetty development team on their timely response and swift \
remediation. It should be noted that the decision to publicly disclose the \
vulnerability was made by the Jetty development team, independent of GDS. GDS’ blog \
post and vulnerability disclosure was published after it was discovered that Jetty \
had publicly disclosed the vulnerability.


CREDITS
=======
Stephen Komal from Gotham Digital Science for discovering the bug.


About GDS Labs
==============

Security Research & Development is a core focus and competitive advantage for GDS. \
The GDS Labs team has the following primary directives:

    - Assessing cutting-edge technology stacks

    - Improving delivery efficiency through custom tool development

    - Finding & responsibly disclosing vulnerabilities in high value targets

    - Assessing the impact to our clients of high risk, publicly disclosed \
vulnerabilities

The GDS Labs R&D team performs security research, with areas of current focus \
including mobile application security, embedded systems, and cryptography. GDS also \
participates in many security related organizations and groups. GDS Labs is a value \
added service that our clients benefit from on virtually every engagement that we \
perform.


About Gotham Digital Science
=======================

Gotham Digital Science (GDS) is a specialist security consulting company focused on \
helping our clients find, fix, and prevent security bugs in mission critical network \
infrastructure, web-based software applications, mobile apps and embedded systems. \
GDS is also committed to contributing to the security and developer communities \
through sharing knowledge and resources such as blog posts, security tool releases, \
vulnerability disclosures, sponsoring and presenting at various industry conferences. \


For more information on GDS, please contact info@gdssecurity.com or visit \
http://www.gdssecurity.com.


[prev in list] [next in list] [prev in thread] [next in thread]