Описание
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Отчет
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Меры по смягчению последствий
Jetty users should create temp folders outside the normal /tmp structure, and ensure that their permissions are set so as not to be accessible by an attacker.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | jetty | Not affected | ||
| Red Hat Enterprise Linux 6 | jetty-eclipse | Out of support scope | ||
| Red Hat Enterprise Linux 7 | jetty | Will not fix | ||
| Red Hat Enterprise Linux 8 | jetty | Will not fix | ||
| Red Hat JBoss A-MQ 6 | jetty | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | jetty | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hive | Will not fix | ||
| Red Hat Process Automation 7 | jetty | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thr ...
Уязвимость контейнера сервлетов Eclipse Jetty, связанная с созданием временных файлов с небезопасными разрешениями, позволяющая нарушителю повысить свои привилегии
EPSS
7 High
CVSS3