Project

General

Profile

Actions

Bug #21888

closed

CVE in Jetty 9.4.32 Rudder 6.2

Added by Nicolas CHARLES over 1 year ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

Rudder 6.2 uses jetty-9.4.32.v20200930, with folowwing CVEs (the description is set only for MED and HIGH severity)

CVE-2022-2047
CVE-2022-2048: In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

CVE-2021-34428
CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28165: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2020-27223

Actions #1

Updated by François ARMAND over 1 year ago

  • Subject changed from CVE in Rudder 6.2 to CVE in Jetty 9.4.32 Rudder 6.2

We need jetty-9.4.47.v20220610

Actions #2

Updated by François ARMAND over 1 year ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #3

Updated by François ARMAND over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2672
Actions #4

Updated by Anonymous over 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Vincent MEMBRÉ over 1 year ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.2.20, 7.1.7 and 7.2.1 which were released today.

Actions #7

Updated by Alexis Mousset 8 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF