WID-SEC-W-2022-1365
Vulnerability from csaf_certbund
Published
2021-04-05 22:00
Modified
2024-06-03 22:00
Summary
Eclipse Jetty: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.
Angriff
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um Informationen offenzulegen und einen Denial of Service Zustand auszulösen.
Betroffene Betriebssysteme
- Linux - Sonstiges - UNIX - Windows



{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um Informationen offenzulegen und einen Denial of Service Zustand auszulösen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- Sonstiges\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-1365 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1365.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-1365 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1365",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:1560 vom 2021-05-13",
            url: "https://access.redhat.com/errata/RHSA-2021:1560",
         },
         {
            category: "external",
            summary: "Eclipse Foundation Security Advisory vom 2021-04-05",
            url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
         },
         {
            category: "external",
            summary: "Eclipse Foundation Security Advisory vom 2021-04-05",
            url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
         },
         {
            category: "external",
            summary: "Eclipse Foundation Security Advisory vom 2021-04-05",
            url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
         },
         {
            category: "external",
            summary: "Eclipse Foundation Security Advisory vom 2021-04-05",
            url: "https://www.eclipse.org/lists/jetty-announce/msg00154.html",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:1552 vom 2021-05-19",
            url: "https://access.redhat.com/errata/RHSA-2021:1552",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:1551 vom 2021-05-19",
            url: "https://access.redhat.com/errata/RHSA-2021:1551",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:1561 vom 2021-05-24",
            url: "https://access.redhat.com/errata/RHSA-2021:1561",
         },
         {
            category: "external",
            summary: "Jenkins Security Advisory 2021-04-20",
            url: "https://www.jenkins.io/security/advisory/2021-04-20/",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:1509 vom 2021-05-05",
            url: "https://access.redhat.com/errata/RHSA-2021:1509",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:2461 vom 2021-06-16",
            url: "https://access.redhat.com/errata/RHSA-2021:2461",
         },
         {
            category: "external",
            summary: "SUSE Security Update SUSE-SU-2021:2005-1 vom 2021-06-17",
            url: "https://lists.suse.com/pipermail/sle-security-updates/2021-June/009033.html",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:2689 vom 2021-07-12",
            url: "https://access.redhat.com/errata/RHSA-2021:2689",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:3140 vom 2021-08-11",
            url: "https://access.redhat.com/errata/RHSA-2021:3140",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
            url: "https://access.redhat.com/errata/RHSA-2021:3225",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:3700 vom 2021-09-30",
            url: "https://access.redhat.com/errata/RHSA-2021:3700",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2021:4767 vom 2021-11-23",
            url: "https://access.redhat.com/errata/RHSA-2021:4767",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2022:6407 vom 2022-09-09",
            url: "https://access.redhat.com/errata/RHSA-2022:6407",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6825513 vom 2022-10-01",
            url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-rational-change-fix-pack-04-for-5-3-2/",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 6829321 vom 2022-10-15",
            url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-eclipse-jetty-affect-ibm-infosphere-information-server/",
         },
         {
            category: "external",
            summary: "Dell Security Advisory DSA-2023-307 vom 2023-11-13",
            url: "https://www.dell.com/support/kbdoc/de-de/000219031/dsa-2023-307-security-update-for-dell-networker-virtual-edition-nve-jetty-vulnerabilities",
         },
         {
            category: "external",
            summary: "IBM Security Bulletin 7156278 vom 2024-06-03",
            url: "https://www.ibm.com/support/pages/node/7156278",
         },
      ],
      source_lang: "en-US",
      title: "Eclipse Jetty: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-06-03T22:00:00.000+00:00",
         generator: {
            date: "2024-08-15T17:34:57.050+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2022-1365",
         initial_release_date: "2021-04-05T22:00:00.000+00:00",
         revision_history: [
            {
               date: "2021-04-05T22:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2021-04-20T22:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates aufgenommen",
            },
            {
               date: "2021-05-05T22:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-05-13T22:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-05-19T22:00:00.000+00:00",
               number: "5",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-05-24T22:00:00.000+00:00",
               number: "6",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-06-16T22:00:00.000+00:00",
               number: "7",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-06-17T22:00:00.000+00:00",
               number: "8",
               summary: "Neue Updates von SUSE aufgenommen",
            },
            {
               date: "2021-07-12T22:00:00.000+00:00",
               number: "9",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-08-11T22:00:00.000+00:00",
               number: "10",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-08-19T22:00:00.000+00:00",
               number: "11",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-09-29T22:00:00.000+00:00",
               number: "12",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2021-11-23T23:00:00.000+00:00",
               number: "13",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2022-09-11T22:00:00.000+00:00",
               number: "14",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2022-10-03T22:00:00.000+00:00",
               number: "15",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2022-10-16T22:00:00.000+00:00",
               number: "16",
               summary: "Neue Updates von IBM aufgenommen",
            },
            {
               date: "2023-11-12T23:00:00.000+00:00",
               number: "17",
               summary: "Neue Updates von Dell aufgenommen",
            },
            {
               date: "2024-06-03T22:00:00.000+00:00",
               number: "18",
               summary: "Neue Updates von IBM aufgenommen",
            },
         ],
         status: "final",
         version: "18",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<virtual 19.9.0.2",
                        product: {
                           name: "Dell NetWorker <virtual 19.9.0.2",
                           product_id: "T031052",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<virtual 19.8.0.4",
                        product: {
                           name: "Dell NetWorker <virtual 19.8.0.4",
                           product_id: "T031053",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "NetWorker",
               },
            ],
            category: "vendor",
            name: "Dell",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<9.4.39",
                        product: {
                           name: "Eclipse Jetty <9.4.39",
                           product_id: "T018774",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<10.0.2",
                        product: {
                           name: "Eclipse Jetty <10.0.2",
                           product_id: "T018775",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<11.0.2",
                        product: {
                           name: "Eclipse Jetty <11.0.2",
                           product_id: "T018776",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Jetty",
               },
            ],
            category: "vendor",
            name: "Eclipse",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "IBM Business Automation Workflow",
                  product: {
                     name: "IBM Business Automation Workflow",
                     product_id: "T019704",
                     product_identification_helper: {
                        cpe: "cpe:/a:ibm:business_automation_workflow:-",
                     },
                  },
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "11.7",
                        product: {
                           name: "IBM InfoSphere Information Server 11.7",
                           product_id: "444803",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:infosphere_information_server:11.7",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "InfoSphere Information Server",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "5.3.2.4",
                        product: {
                           name: "IBM Rational Change 5.3.2.4",
                           product_id: "T024761",
                           product_identification_helper: {
                              cpe: "cpe:/a:ibm:rational_change:5.3.2.4",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Rational Change",
               },
            ],
            category: "vendor",
            name: "IBM",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Red Hat Enterprise Linux",
                  product: {
                     name: "Red Hat Enterprise Linux",
                     product_id: "67646",
                     product_identification_helper: {
                        cpe: "cpe:/o:redhat:enterprise_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "SUSE Linux",
                  product: {
                     name: "SUSE Linux",
                     product_id: "T002207",
                     product_identification_helper: {
                        cpe: "cpe:/o:suse:suse_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-28163",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Eclipse Jetty. Der Fehler besteht, wenn das Verzeichnis \"${jetty.base}\" oder das Verzeichnis \"${jetty.base}/webapps\" ein Symlink ist. Ein entfernter, authentifizierter Angreifer mit Berechtigungen kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T002207",
               "67646",
               "444803",
               "T019704",
               "T024761",
               "T031052",
               "T031053",
            ],
         },
         release_date: "2021-04-05T22:00:00.000+00:00",
         title: "CVE-2021-28163",
      },
      {
         cve: "CVE-2021-28164",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Eclipse Jetty. Der Fehler besteht, weil der Standard-Compliance-Modus Anfragen mit URIs, die \"%2e\"- oder \"%2e%2e\"-Segmente enthalten, den Zugriff auf geschützte Ressourcen innerhalb des \"WEB-INF-Verzeichnisses\" zulässt. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T002207",
               "67646",
               "444803",
               "T019704",
               "T024761",
               "T031052",
               "T031053",
            ],
         },
         release_date: "2021-04-05T22:00:00.000+00:00",
         title: "CVE-2021-28164",
      },
      {
         cve: "CVE-2021-28165",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Eclipse Jetty. Der Fehler besteht, wenn SSL/TLS verwendet wird und der Server einen ungültigen großen TLS-Frame empfängt, der nicht korrekt behandelt wird. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand auszulösen.",
            },
         ],
         product_status: {
            known_affected: [
               "T002207",
               "67646",
               "444803",
               "T019704",
               "T024761",
               "T031052",
               "T031053",
            ],
         },
         release_date: "2021-04-05T22:00:00.000+00:00",
         title: "CVE-2021-28165",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.