Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk.

Summary

BAYEUX_BROWSER cookie is generated from Cometd Server and it remains live with the session. In older versions of cometd server, BAYEUX_BROWSER cookie was neither true for https nor for secure. But in the current version ie. 5.0.3, there is a provision to make the cookie true for https and secure.

Vulnerability Details

CVEID:CVE-2007-5615
**DESCRIPTION:**Jetty is vulnerable to CRLF injection, caused by improper validation of user-supplied input. A remote attacker could inject arbitrary commands using CRLF sequences, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/38899 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2007-6672
**DESCRIPTION:**Jetty could allow a remote attacker to obtain sensitive information, caused by the improper processing of URLs containing multiple forward slash (/) characters. An attacker could exploit this vulnerability to gain unauthorized access to restricted files and view arbitrary directories on the Web server.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/39407 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2009-1523
**DESCRIPTION:**Jetty HTTP server could allow a remote attacker to traverse directories on the system, caused by an error when the DefaultServlet with support for aliases is explicitly enabled or the ResourceHandler class is configured to serve static content. An attacker could exploit this vulnerability by sending a specially-crafted URL request to view arbitrary files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/50298 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:CVE-2009-1524
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using an appended “;” character in the directory listing’s path via a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/50301 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2009-4609
**DESCRIPTION:**Jetty could allow a remote attacker to obtain sensitive information, caused by an error in the Dump Servlet. By sending a request to a URI ending in /dump/, a remote attacker could exploit this vulnerability to obtain sensitive information about internal variables and other data.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/55650 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2009-4610
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the dump.jsp in the JSP Dump feature and the default URI for the Session Dump Servlet under session/. A remote attacker could exploit this vulnerability using the Name or Value parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/55651 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2009-4611
**DESCRIPTION:**Ruby could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to filter terminal escape sequences in HTTP requests by the WEBrick component. By sending a specially-crafted HTTP request containing escape sequences and persuading a victim to view the logfile using the “cat” or “tail” tools, a remote attacker could inject the escape sequences into WEBrick logs and execute malicious control characters on the victim’s terminal emulator.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/55533 for the current score.
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVEID:CVE-2009-4612
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the WebApp JSP Snoop page. A remote attacker could exploit this vulnerability using the PATH_INFO in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/55652 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2009-5045
**DESCRIPTION:**Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the Dump Servlet. A remote attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171886 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2009-5046
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the JSP Dump and Session Dump Servlet. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171885 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2009-5047
**DESCRIPTION:**Jetty could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection vulnerability in the Cookie Dump Servlet and Http Content-Length header. By a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171884 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2009-5048
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Cookie Dump Servlet. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171883 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2009-5049
**DESCRIPTION:**Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the JSP Snoop page in Webapp. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171880 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2011-4461
**DESCRIPTION:**Jetty is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72017 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2017-7656
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw in the HTTP/1.x Parser. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2017-7657
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145521 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2017-7658
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2017-9735
**DESCRIPTION:**Jetty could allow a remote attacker to obtain sensitive information, caused by a timing channel flaw in util/security/Password.java. By observing elapsed times before rejection of incorrect passwords, an attacker could exploit this vulnerability to obtain access information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/127842 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-10247
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160610 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

For IBM Control Desk 7.6.1.4 and earlier versions:

There is a provision in web.xml to make BAYEUX_BROWSER cookie true for https and secure. The path can also be updated using <init-params> in web.xml against CometDServlet entry in the deployment descriptor.
<https://docs.cometd.org/current/reference/&gt;

Workarounds and Mitigations

None