Eclipse Jetty Multiple Vulnerabilities detected on port 8181 - Jetty(9.4.7.v20170914)

book

Article ID: 131887

calendar_today

Updated On:

Products

CA Infrastructure Management CA Infrastructure Management CA Performance Management - Usage and Administration CA Performance Management - Data Polling

Issue/Introduction

CAPC uses Jetty as the web server

What version of CAPC addresses these vulnerabilities in jetty:
1) HTTP/0.9 Request Smuggling (CVE-2017-7656)
2) Transfer-Encoding Request Smuggling (CVE-2017-7657)
3) Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace (CVE-2017-7658)
4) InvalidPathException Message (CVE-2018-12536)
5) FileSessionDataStore Session Hijacking (CVE-2018-12538)
 
 
Version affected:
9.4.0.v20161208
9.4.1.v20170120
9.4.2.v20170220
9.4.3.v20170317
9.4.4.v20170414
9.4.5.v20170502
9.4.6.v20170531
9.4.7.v2017094
9.4.8.v20171121

Environment

CAPC 3.7.x 
CAPC 3.6.x

Resolution

CAPC 3.8 will have embedded Jetty v9.4.17.v20190418
And will remediate these vulnerabilities.

Additional Information

https://www.eclipse.org/lists/jetty-announce/msg00123.html