New subject: [Bug 1864680] CVE-2019-17638 jetty: double release of resouce can lead to information disclosure

Monday, 3 August 2020

https://bugzilla.redhat.com/show_bug.cgi?id=1864680

            Bug ID: 1864680
           Summary: CVE-2019-17638 jetty: double release of resouce can
                    lead to information disclosure
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team(a)redhat.com
          Reporter: gsuckevi(a)redhat.com
                CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
                    bkearney(a)redhat.com, chazlett(a)redhat.com,
                    drieden(a)redhat.com,
                    eclipse-sig(a)lists.fedoraproject.org,
                    ggaughan(a)redhat.com, gmalinko(a)redhat.com,
                    gvarsami(a)redhat.com, hhorak(a)redhat.com,
                    janstey(a)redhat.com, java-maint(a)redhat.com,
                    java-sig-commits(a)lists.fedoraproject.org,
                    jcoleman(a)redhat.com, jjohnstn(a)redhat.com,
                    jochrist(a)redhat.com, jorton(a)redhat.com,
                    jwon(a)redhat.com, kconner(a)redhat.com,
                    krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
                    ldimaggi(a)redhat.com, mat.booth(a)redhat.com,
                    mizdebsk(a)redhat.com, nwallace(a)redhat.com,
                    pdrozd(a)redhat.com, pjindal(a)redhat.com,
                    rwagner(a)redhat.com, sochotni(a)redhat.com,
                    sthorger(a)redhat.com, tcunning(a)redhat.com,
                    tkirby(a)redhat.com, tlestach(a)redhat.com
  Target Milestone: ---
    Classification: Other

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too
large response headers, Jetty throws an exception to produce an HTTP 431 error.
When this happens, the ByteBuffer containing the HTTP response headers is
released back to the ByteBufferPool twice. Because of this double release, two
threads can acquire the same ByteBuffer from the pool and while thread1 is
about to use the ByteBuffer to write response1 data, thread2 fills the
ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that
now contains response2 data. This results in client1, which issued request1 and
expects responses, to see response2 which could contain sensitive data
belonging to client2 (HTTP session ids, authentication credentials, etc.).

References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
https://github.com/eclipse/jetty.project/issues/4936

-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

[Bug 1864680] New: CVE-2019-17638 jetty: double release of resouce can lead to information disclosure