[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty We
From: rgutierrez () gdssecurity ! com
Date: 2015-02-25 16:21:29
Message-ID: 201502251621.t1PGLTm2019618 () sf01web2 ! securityfocus ! com
[Download RAW message or body]
GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server
SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage vulnerability in the \
Jetty web server that allows an unauthenticated remote attacker to read arbitrary \
data from previous requests and responses submitted to the server by other users.
The vulnerability was made public by the Jetty development team on the 24th of \
February 2015 and included proof-of-concept exploit code. As a result, GDS Labs \
recommends upgrading Jetty web server to a version patched against this vulnerability \
as soon as possible.
IMPACT
======
Using a vulnerable version of the Jetty web server can lead to the compromise of \
sensitive data including data passed within headers (e.g. cookies, authentication \
tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, \
authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by \
the web server.
The root cause of this vulnerability can be traced to exception handling code that \
returns approximately 16 bytes of data from a shared buffer when illegal characters \
are submitted in header values to the server. An attacker can exploit this behavior \
by submitting carefully crafted requests containing variable length strings of \
illegal characters to trigger the exception and offset into the shared buffer. Since \
the shared buffer contains user submitted data from previous requests, the Jetty \
server will return specific data chunks from a previous exchange depending on the \
attacker’s payload offset.
ARE YOU VULNERABLE?
===================
This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases \
(including the beta releases of 9.3.x) are vulnerable.
GDS have created a simple python script that can be used to determine if a Jetty HTTP \
server is vulnerable. The script code can be downloaded from the GDS Github \
repository below:
- https://github.com/GDSSecurity/Jetleak-Testing-Script
If running one of the vulnerable Jetty web server versions, Jetty recommends that you \
upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware \
that Jetty might be bundled within third party products. GDS recommends referring to \
the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive \
list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP \
server, it is also commonly used by a variety of embedded systems. Organizations \
should contact any vendors that may be running a Jetty web server in order to \
determine if their products are vulnerable and when any patches to resolve this \
vulnerability will be made available.
We have encountered cases where development teams use Jetty as a light-weight \
replacement for app servers such as Tomcat for internal testing. Organizations should \
consider notifying their development teams about the vulnerability and require teams \
to upgrade any vulnerable versions of Jetty.
The latest release of the Jetty HTTP server is available for download at the \
following locations:
- Maven - http://central.maven.org/
- Jetty Downloads - http://download.eclipse.org/jetty
REFERENCES
==========
A thorough technical analysis of the vulnerability is available on the GDS blog at:
http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetty Vulnerability Announcement:
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
Jetty Vulnerability Advisory:
https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md
DISCLOSURE TIMELINE
===================
Feb 19, 2015 - Vulnerability report sent to security@eclipse.org using SendSafely
Feb 23, 2015 - Jetty team downloads the vulnerability report
Feb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and \
publicly discloses vulnerability with exploit code
Feb 25, 2015 - GDS publicly discloses vulnerability
GDS commends the Jetty development team on their timely response and swift \
remediation. It should be noted that the decision to publicly disclose the \
vulnerability was made by the Jetty development team, independent of GDS. GDS’ blog \
post and vulnerability disclosure was published after it was discovered that Jetty \
had publicly disclosed the vulnerability.
CREDITS
=======
Stephen Komal from Gotham Digital Science for discovering the bug.
About GDS Labs
==============
Security Research & Development is a core focus and competitive advantage for GDS. \
The GDS Labs team has the following primary directives:
- Assessing cutting-edge technology stacks
- Improving delivery efficiency through custom tool development
- Finding & responsibly disclosing vulnerabilities in high value targets
- Assessing the impact to our clients of high risk, publicly disclosed \
vulnerabilities
The GDS Labs R&D team performs security research, with areas of current focus \
including mobile application security, embedded systems, and cryptography. GDS also \
participates in many security related organizations and groups. GDS Labs is a value \
added service that our clients benefit from on virtually every engagement that we \
perform.
About Gotham Digital Science
=======================
Gotham Digital Science (GDS) is a specialist security consulting company focused on \
helping our clients find, fix, and prevent security bugs in mission critical network \
infrastructure, web-based software applications, mobile apps and embedded systems. \
GDS is also committed to contributing to the security and developer communities \
through sharing knowledge and resources such as blog posts, security tool releases, \
vulnerability disclosures, sponsoring and presenting at various industry conferences. \
For more information on GDS, please contact info@gdssecurity.com or visit \
http://www.gdssecurity.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic