Vulnerability CVE-2009-4611 in Java Connector Server
search cancel

Vulnerability CVE-2009-4611 in Java Connector Server

book

Article ID: 228406

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

A penetration scan has identified the CVE-2009-4611 vulnerability against a server running the CA Identity Manager JCS (Java Connector Server) 14.3

Is this vulnerability putting our server / network at risk?

Is version 14.4 also affected?

Environment

Release : 14.3. x, 14.4.x

Component : IdentityMinder(Identity Manager)

Resolution

The CVE-2009-4611 impacts Jetty 6.x through 6.1.22 and 7.0.0. IM JCS 14.3 and 14.4 uses Jetty v7.2.2 so it is not impacted.  However, the JCS code does include a customization that leverages the servicemix bundle for jetty v6.1.26_1-fuse library. This may result in some false positives reporting the Jetty version as 6.x (this can be seen using curl -vvv).

The vulnerability (CVE-2009-4611), Escape Sequence Injection via "Cookie Dump Servlet", "Http Content-Length header", "jsp/expr.jsp" is not possible against JCS as the custom bundle of jetty v6.1.26_1-fuse library (org.apache.servicemix.bundles.jetty-6.1.26_1-fuse.jar) is a trimmed version of just one JAR file without any Sample code comprising the vulnerable Servet ("Cookie Dump Servlet") and JSP ("jsp/expr.jsp").
Please note that the org.apache.servicemix.bundles.jetty-6.1.26_1-fuse.jar is an OSGi bundle, it is a part of Apache ServiceMix, and can be upgraded only when ServiceMix is upgraded in JCS.

In summary, there is no way that this vulnerability can be exploited through the Jetty customization used in the JCS server.  The IM JCS uses Jetty libraries for its internal use and does not expose Jetty web container capabilities directly to the end-users. None of the Jetty code that is vulnerable (mentioned in CVE-2009-4611) is exposed via JCS. 

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2009-4611