Fluid Attacks Database

Description

Jetty vulnerable to exposure of sensitive information due to observable discrepancy Jetty through 9.4.x contains a timing channel attack in util/security/Password.java, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.eclipse.jetty:jetty-util	>=0 <9.4.6.v20170531	9.4.6.v20170531
maven	org.eclipse.jetty:jetty-server	>=9.4.0 <9.4.6.v20170531 \|\| >=9.3.0 <9.3.20.v20170531 \|\| >=0 <9.2.22.v20170606	9.4.6.v20170531, 9.3.20.v20170531, 9.2.22.v20170606
debian 11	jetty9	>=0 <9.2.22-1	9.2.22-1
debian 14	jetty9	>=0 <9.2.22-1	9.2.22-1
debian 12	jetty9	>=0 <9.2.22-1	9.2.22-1
debian 13	jetty9	>=0 <9.2.22-1	9.2.22-1
rpm rhel7	jetty	-	-
rpm rhel6	jetty-eclipse	-	-

Aliases

1. CVE-2017-97352. NVD-2017-97353. OSV-2017-97354. OSV-DEBIAN-2017-97355. GCVE-2017-97356. lists.debian.org7. SECURITY-TRACKER-CVE-2017-9735

References

1. http://www.securityfocus.com/bid/991042. https://github.com/eclipse/jetty.project/issues/15563. https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc024. https://bugs.debian.org/8646315. https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E6. https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3E7. https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E8. https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3E9. https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E10. https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E11. https://web.archive.org/web/20170826163336/http://www.securityfocus.com/bid/9910412. https://www.oracle.com//security-alerts/cpujul2021.html13. https://www.oracle.com/security-alerts/cpuoct2020.html14. https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.