SB2016060101 - Security restrictions bypass in Jetty

Description

This security bulletin contains information about 1 security vulnerability.

1) Security bypass (CVE-ID: CVE-2016-4800)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error within PathResource class when parsing URLs, which contains certain escaped characters. A remote unauthenticated attacker can bypass implemented security restrictions and gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) or bypass application filters or other restrictions, implemented in servlet configuration.

Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to otherwise protected resources.

Remediation

Install update from vendor's website.

References

• https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html
• http://www.ocert.org/advisories/ocert-2016-001.html