https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Bug ID: 1864680 Summary: CVE-2019-17638 jetty: double release of resouce can lead to information disclosure Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, bkearney@redhat.com, chazlett@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hhorak@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jjohnstn@redhat.com, jochrist@redhat.com, jorton@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, ldimaggi@redhat.com, mat.booth@redhat.com, mizdebsk@redhat.com, nwallace@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, rwagner@redhat.com, sochotni@redhat.com, sthorger@redhat.com, tcunning@redhat.com, tkirby@redhat.com, tlestach@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).
References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984 https://github.com/eclipse/jetty.project/issues/4936
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1864683
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1864683 [Bug 1864683] CVE-2019-17638 jetty: double release of resouce can lead to information disclosure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1864683]
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1864684
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-17638 jetty: |CVE-2019-17638 jetty: |double release of resouce |double release of resource |can lead to information |can lead to information |disclosure |disclosure
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty-9.4.30.v20200611
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Yadnyawalk Tale ytale@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|bkearney@redhat.com, | |tlestach@redhat.com |
--- Comment #8 from Yadnyawalk Tale ytale@redhat.com --- Red Hat Satellite 5 was shipping jetty/nutch however it is EOL from March 31, 2020. Red Hat do not ship those components Satellite 6 onward. Reference: https://access.redhat.com/support/policy/updates/satellite
https://bugzilla.redhat.com/show_bug.cgi?id=1864680 Bug 1864680 depends on bug 1864683, which changed state.
Bug 1864683 Summary: CVE-2019-17638 jetty: double release of resource can lead to information disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1864683
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abenaiss@redhat.com, | |aos-bugs@redhat.com, | |bmontgom@redhat.com, | |eparis@redhat.com, | |extras-orphan@fedoraproject | |.org, jburrell@redhat.com, | |jokerman@redhat.com, | |msrb@redhat.com, | |nstielau@redhat.com, | |pbhattac@redhat.com, | |sponnaga@redhat.com, | |vbobade@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #11 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984 https://www.jenkins.io/security/advisory/2020-08-17/
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1875257
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1875258
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1875259
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1875260
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1875261
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877292
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2020:3841 https://access.redhat.com/errata/RHSA-2020:3841
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3841
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-09-30 20:21:19
--- Comment #13 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-17638
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.4
Via RHSA-2020:4220 https://access.redhat.com/errata/RHSA-2020:4220
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4220
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2020:4223 https://access.redhat.com/errata/RHSA-2020:4223
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4223
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.8.0
Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
https://bugzilla.redhat.com/show_bug.cgi?id=1864680
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5568
java-sig-commits@lists.fedoraproject.org