Project

General

Profile

Actions

Bug #23608

closed

Several low impact CVE in Jetty 10.0.12

Added by François ARMAND about 1 year ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Specialy craft session cookies can lead to displaying information on page.
Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem.

CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-40167
no known exploit scenario

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
HTTP/2 related, and Rudder does not user HTTP/2

CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-36479
Target CgiServlet, which we don't use in Rudder

CVE-2023-41900 https://nvd.nist.gov/vuln/detail/CVE-2023-41900
We are not using Jetty OpenID authenticator.

All of these issue are resolved in a more recent 10.x version of Jetty and we should update


Subtasks 3 (0 open3 closed)

Bug #23622: Some jetty patches don't apply to 10.0.17ReleasedAlexis MoussetActions
Bug #23637: Failed upmerge in parentReleasedVincent MEMBRÉActions
Bug #23641: parent ticket break rudder-jettyRejectedAlexis MoussetActions

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool ReleasedVincent MEMBRÉActions
Related to Rudder - Bug #23648: Revert jetty upgrade to 10.0.17 for nowReleasedVincent MEMBRÉActions
Actions #1

Updated by François ARMAND about 1 year ago

  • Description updated (diff)
Actions #2

Updated by François ARMAND about 1 year ago

  • Related to Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool added
Actions #3

Updated by François ARMAND about 1 year ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #4

Updated by François ARMAND about 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2824
Actions #5

Updated by Anonymous about 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #6

Updated by François ARMAND about 1 year ago

  • Subtask #23622 added
Actions #7

Updated by Alexis Mousset about 1 year ago

  • Related to Bug #23648: Revert jetty upgrade to 10.0.17 for now added
Actions #8

Updated by Alexis Mousset about 1 year ago

  • Fix check changed from To do to Checked
Actions #9

Updated by Vincent MEMBRÉ about 1 year ago

This bug has been fixed in Rudder 7.3.8 and 8.0.1 which were released today.

Actions #10

Updated by Vincent MEMBRÉ 9 months ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF