This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3592.NASLDebian DLA-3592-1 : jetty9 - LTS security update
6.3 Medium
AI Score
Confidence
High
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3592 advisory.
-
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with
@MultipartConfig) that callHttpServletRequest.getParameter()orHttpServletRequest.getParts()may causeOutOfMemoryErrorwhen the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings offileSizeThreshold=0which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throwOutOfMemoryError. However, the server may be able to recover after theOutOfMemoryErrorand continue its service – although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
Users unable to upgrade may set the multipart parametermaxRequestSizewhich must be set to a non- negative value, so the whole multipart content is limited (although still read into memory).
(CVE-2023-26048) -
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it will continue to read the cookie string until it sees a closing quote – even if a semicolon is encountered. So, a cookie header such as:
DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=dwill be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
(CVE-2023-26049) -
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
(CVE-2023-36479) -
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the
+character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. (CVE-2023-40167)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3592. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(182409);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/21");
script_cve_id(
"CVE-2023-26048",
"CVE-2023-26049",
"CVE-2023-36479",
"CVE-2023-40167"
);
script_xref(name:"IAVB", value:"2023-B-0082-S");
script_name(english:"Debian DLA-3592-1 : jetty9 - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3592 advisory.
- Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support
(e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request
with a part that has a name but no filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client
may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server
may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some
time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-
negative value, so the whole multipart content is limited (although still read into memory).
(CVE-2023-26048)
- Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an
attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering
with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it
will continue to read the cookie string until it sees a closing quote -- even if a semicolon is
encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as
one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate
cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the
DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into
the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is
enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by
the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,
11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
(CVE-2023-26049)
- Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the
CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a
request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet
will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command
prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the
user contains a quotation mark followed by a space, the resulting command line will contain multiple
tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
(CVE-2023-36479)
- Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and
12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This
is more permissive than allowed by the RFC and other servers routinely reject such requests with 400
responses. There is no known exploit scenario, but it is conceivable that request smuggling could result
if jetty is used in combination with a server that does not close the connection after sending such a 400
response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no
workaround as there is no known exploit scenario. (CVE-2023-40167)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/jetty9");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3592");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-26048");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-26049");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-36479");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-40167");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/jetty9");
script_set_attribute(attribute:"solution", value:
"Upgrade the jetty9 packages.
For Debian 10 buster, these problems have been fixed in version 9.4.16-0+deb10u3.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-40167");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/18");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jetty9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjetty9-extra-java");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjetty9-java");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'jetty9', 'reference': '9.4.16-0+deb10u3'},
{'release': '10.0', 'prefix': 'libjetty9-extra-java', 'reference': '9.4.16-0+deb10u3'},
{'release': '10.0', 'prefix': 'libjetty9-java', 'reference': '9.4.16-0+deb10u3'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jetty9 / libjetty9-extra-java / libjetty9-java');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | jetty9 | p-cpe:/a:debian:debian_linux:jetty9 |
| debian | debian_linux | libjetty9-extra-java | p-cpe:/a:debian:debian_linux:libjetty9-extra-java |
| debian | debian_linux | libjetty9-java | p-cpe:/a:debian:debian_linux:libjetty9-java |
| debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
packages.debian.org/source/buster/jetty9
security-tracker.debian.org/tracker/CVE-2023-26048
security-tracker.debian.org/tracker/CVE-2023-26049
security-tracker.debian.org/tracker/CVE-2023-36479
security-tracker.debian.org/tracker/CVE-2023-40167
security-tracker.debian.org/tracker/source-package/jetty9
www.debian.org/lts/security/2023/dla-3592
Related
