Operation on a Resource after Expiration or Release in Eclipse Jetty



Published: 2020-07-09 | Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-17638
CWE-ID CWE-672
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Jetty
Server applications / Web servers

Vendor Eclipse

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Operation on a Resource after Expiration or Release

EUVDB-ID: #VU34161

Risk: High

CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17638

CWE-ID: CWE-672 - Operation on a Resource after Expiration or Release

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Jetty: 9.4.27 - 9.4.29

External links

http://bugs.eclipse.org/bugs/show_bug.cgi?id=564984


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###