Project

General

Profile

Actions
Copy link

Bug #23608

closed

Several low impact CVE in Jetty 10.0.12

Bug #23608: Several low impact CVE in Jetty 10.0.12

Added by François ARMAND over 2 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
N/A
Assignee:
Alexis Mousset
Category:
Security
Target version:
7.3.8
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-26048
OutOfMemory error with some craft multi-part POST. The only effect can be a denial of service, which is of low risk for Rudder security profil.

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
Specialy craft session cookies can lead to displaying information on page.
Rudder does not display any cookie anywhere, and even if it was, we are using additional libraries for cookie parsing which are not known to be subjected to that problem.

CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-40167
no known exploit scenario

CVE-2023-26049 https://nvd.nist.gov/vuln/detail/CVE-2023-26049
HTTP/2 related, and Rudder does not user HTTP/2

CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-36479
Target CgiServlet, which we don't use in Rudder

CVE-2023-41900 https://nvd.nist.gov/vuln/detail/CVE-2023-41900
We are not using Jetty OpenID authenticator.

All of these issue are resolved in a more recent 10.x version of Jetty and we should update

Subtasks 3 (0 open3 closed)

Bug #23622: Some jetty patches don't apply to 10.0.17ReleasedAlexis MoussetActions
Bug #23637: Failed upmerge in parentReleasedVincent MEMBRÉActions
Bug #23641: parent ticket break rudder-jettyRejectedAlexis MoussetActions

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool ReleasedVincent MEMBRÉActions
Related to Rudder - Bug #23648: Revert jetty upgrade to 10.0.17 for nowReleasedVincent MEMBRÉActions

Updated by François ARMAND over 2 years ago Actions
Copy link
 #1

  • Description updated (diff)

Updated by François ARMAND over 2 years ago Actions
Copy link
 #2

  • Related to Bug #23609: Assessments of several low impact CVE in current 7.3.x reported by contrastsecurity tool added

Updated by François ARMAND over 2 years ago Actions
Copy link
 #3

  • Status changed from New to In progress
  • Assignee set to François ARMAND

Updated by François ARMAND over 2 years ago Actions
Copy link
 #4

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2824

Updated by Anonymous over 2 years ago Actions
Copy link
 #5

  • Status changed from Pending technical review to Pending release

Updated by François ARMAND over 2 years ago Actions
Copy link
 #6

  • Subtask #23622 added

Updated by Alexis Mousset about 2 years ago Actions
Copy link
 #7

  • Related to Bug #23648: Revert jetty upgrade to 10.0.17 for now added

Updated by Alexis Mousset about 2 years ago Actions
Copy link
 #8

  • Fix check changed from To do to Checked

Updated by Vincent MEMBRÉ about 2 years ago Actions
Copy link
 #9

This bug has been fixed in Rudder 7.3.8 and 8.0.1 which were released today.

Updated by Vincent MEMBRÉ almost 2 years ago Actions
Copy link
 #10

  • Status changed from Pending release to Released
Actions
Copy link

Also available in: PDF Atom