Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0975 -- [Win][UNIX/Linux] Multiple Vulnerabilities in Mortbay Jetty 5 December 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mortbay Jetty Publisher: US-CERT Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Cross-site Scripting Inappropriate Access Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-5615 CVE-2007-5614 CVE-2007-5613 Original Bulletin: http://www.kb.cert.org/vuls/id/212984 http://www.kb.cert.org/vuls/id/438616 http://www.kb.cert.org/vuls/id/237888 Comment: This bulletin contains three (3) US-CERT security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- US-CERT Vulnerability Note VU#212984 Mortbay Jetty vulnerable to HTTP response splitting Overview Mortbay Jetty is vulnerable to HTTP response splitting, which may allow a remote, unauthenticated attacker to inject various HTTP headers. I. Description Mortbay Jetty is a web server that is written in Java. Jetty fails to properly handle HTTP headers with CRLF sequences, which can allow an attacker to inject certain HTTP headers into server responses. II. Impact A remote, unauthenticated attacker may be able to perform a cross-site scripting attack, set cookies, or poison a proxy cache. III. Solution Apply an update This issue is addressed in Mortbay Jetty 6.1.6 [2]. Details are available in the release notes [1]. Systems Affected Vendor Status Date Updated Mort Bay Vulnerable 4-Dec-2007 References [1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt [2] http://dist.codehaus.org/jetty/jetty-6.1.6/ Credit Thanks to Tomasz Kuczynski for reporting this vulnerability. This document was written by Will Dormann. Other Information Date Public 03/11/2007 Date First Published 04/12/2007 13:21:11 Date Last Updated 03/12/2007 CERT Advisory CVE Name CVE-2007-5615 Metric 4.41 Document Revision 3 US-CERT Vulnerability Note VU#438616 Mortbay Jetty fails to properly handle cookies with quotes Overview Mortbay Jetty fails to properly handle cookie quotes, which may allow session hijacking. I. Description Mortbay Jetty is a web server that is written in Java. Jetty fails to properly handle cookies with certain quote sequences. This can cause the Jetty cookie parsing mechanism to improperly handle all of the cookies in the cookie string that follow the cookie with the quote sequence. II. Impact This vulnerability can increase the possibility of a session hijacking success. In the presense of a cross-site scripting vulnerability, it may allow a denial-of-service attack against a web site by preventing a client from being able to log in using cookies. III. Solution Apply an update This issue is addressed in Mortbay Jetty 6.1.6 [2]. Details are available in the release notes [1]. Systems Affected Vendor Status Date Updated Mort Bay Vulnerable 4-Dec-2007 References [1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt [2] http://dist.codehaus.org/jetty/jetty-6.1.6/ Credit Thanks to Tomasz Kuczynski for reporting this vulnerability. This document was written by Will Dormann. Other Information Date Public 05/11/2007 Date First Published 04/12/2007 13:05:14 Date Last Updated 03/12/2007 CERT Advisory CVE Name CVE-2007-5614 Metric 2.78 Document Revision 4 US-CERT Vulnerability Note VU#237888 Mortbay Jetty Dump Servlet vulnerable to cross-site scripting Overview The Mortbay Jetty Dump Servlet contains a cross-site scripting vulnerability. I. Description Mortbay Jetty is a web server that is written in Java. The Dump Servlet that is included with Jetty is vulnerable to cross-site scripting. Note that according to the vendor, the Dump Servlet is for testing purposes and is not intended to be included in a live web site. II. Impact A remote, unauthenticated attacker may be able to perform a cross-site scripting attack against a Jetty web server. More information about cross-site scripting can be found in CERT Advisory CA-2000-02. III. Solution Apply an update This issue is addressed in Mortbay Jetty 6.1.6 [3]. Details are available in the release notes [1]. Remove the Dump Servlet This issue can be mitigated by removing the Dump Servlet from the web server. Systems Affected Vendor Status Date Updated Mort Bay Vulnerable 4-Dec-2007 References [1] http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt [2] http://jira.codehaus.org/browse/JETTY-452 [3] http://dist.codehaus.org/jetty/jetty-6.1.6/ Credit Thanks to Tomasz Kuczynski for reporting this vulnerability. This document was written by Will Dormann. Other Information Date Public 05/11/2007 Date First Published 04/12/2007 12:40:07 Date Last Updated 03/12/2007 CERT Advisory CVE Name CVE-2007-5613 Metric 3.29 Document Revision 7 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR1YUvih9+71yA2DNAQJCdgP8C5agYbzKAZGYYVBet+zMR5dCafAwERWf NM+mJW+dgqBrXRBTBhnnEsTzAHouv9iDye3L4evTErrRU2B9cdtwPBvkNk8uiNfG 8/5cx9F4jIom/hXWcvn5sQDFQ9nPjV4bgFyviWMa4lGJrOBjBRm38Z4rXr31Pkv6 RnaFd4bb6NA= =xK2b -----END PGP SIGNATURE-----