Potential Eclipse Jetty Server Vulnerabilities

Follow

Background

Eclipse Jetty is a light-weight Java web container / service.  While it can be used as a stand-alone web server, it is  is frequently encountered as an "embedded" server in a larger product.  Examples include Eclipse, Maven, Jenkins, Spark, GAE, Zimbra and so on. 

While Jetty is generally considered to be secure, a few security problems were discovered and fixed earlier this year.  A summary of recent vulnerabilities and the Jetty versions that they affect may be found here:

The most significant of these vulnerabilities is classified as having high severity and exploitability.

Our detection of this vulnerability is based on the Jetty version that is reported by your server.  This is not a definitive detection.  It could be a false positive; e.g. if the product you are using incorporates a "snapshot" build of Jetty, or if it does not enable / use the vulnerable functionality.

Impact

According to the description for CVE-2018-12538:

"In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore."

What is not clear is whether any particular use-case for Jetty uses this optional functionality.  This would need to be determined on a case by case basis.

Solution

The solution will depend on how you are using Jetty.

  • If you are using Jetty as a stand-alone web service, the recommended solution is to upgrade your Jetty installation to a non-vulnerable version. 
  • If you are using Jetty as part of another product, you need to check that product's website for related security bulletins. 
    • If the product site advises / recommends an upgrade, you should do it.
    • If the product site doesn't mention this as a security concern, it may still be advisable to upgrade.

If you decide to not upgrade your Jetty service, please let us know and we can suppress the warnings for your instance's (current) IP address.  However, we do not recommend this course of action.

Have more questions? Submit a request

Comments

Powered by Zendesk