Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15338

High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 8.8.1
    • None
    • None
    • None

    Description

      High security vulnerability ahs been reported in the Jetty jar bundled within Solr:

       

       

       

      BDSA-2021-0848

      Affected Component(s): Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
      Vulnerability Published: 2021-04-02 06:29 EDT
      Vulnerability Updated: 2021-04-02 06:29 EDT
      CVSS Score: 6.7 (overall), 7.5 (base)

      Summary: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid TLS frames. An attacker could exploit this by sending a TLS frame with a size in excess of 17408 resulting in excessive resource consumption leading to a DoS condition.

      Solution: Fixed in 10.0.2 and 11.0.2 by this and this commit. Fixed in 9.4.39.v20210325 by this and this commit.

       

      BDSA-2021-0849

      Affected Component(s): Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
      Vulnerability Published: 2021-04-02 06:55 EDT
      Vulnerability Updated: 2021-04-02 06:55 EDT
      CVSS Score: 4.6 (overall), 5.3 (base)

      Summary: Eclipse Jetty is vulnerable to sensitive data exposure via default compliance mode. An attacker could exploit this by using a URL containing %2e or %2e%2e segments. These were improperly allowed to access protected resources in the WEB-INF directory.

      Solution: Fixed in 9.4.39.v20210325 by this commit.

       

      BDSA-2021-0850

      Affected Component(s): Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
      Vulnerability Published: 2021-04-02 09:09 EDT
      Vulnerability Updated: 2021-04-02 09:09 EDT
      CVSS Score: 2.4 (overall), 2.7 (base)

      Summary: Eclipse Jetty is vulnerable to sensitive data exposure via symlink directory. A high privileged attacker could exploit this in order to view the contents of a symlink webapp directory.

      CVE-2021-28163

      Vulnerability Published: 2021-04-01 11:15 EDT
      Vulnerability Updated: 2021-04-01 11:30 EDT
      CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

      Summary: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

       

      CVE-2021-28164

      Vulnerability Published: 2021-04-01 11:15 EDT
      Vulnerability Updated: 2021-04-01 11:30 EDT
      CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

      Summary: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

       

      CVE-2021-28165

      Vulnerability Published: 2021-04-01 11:15 EDT
      Vulnerability Updated: 2021-04-01 11:30 EDT
      CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

      Summary: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

       

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              wcmrnd WCM RnD
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: