Описание
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.
Отчет
In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. OCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Меры по смягчению последствий
Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | jetty-server | Fix deferred | ||
| Red Hat Developer Tools | rh-eclipse-jetty | Affected | ||
| Red Hat Enterprise Linux 7 | jetty | Out of support scope | ||
| Red Hat Enterprise Linux 8 | eclipse:rhel8/jetty | Fix deferred | ||
| Red Hat Integration Camel K 1 | jetty | Fix deferred | ||
| Red Hat Integration Service Registry | jetty-server | Affected | ||
| Red Hat JBoss A-MQ 6 | jetty-server | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | jetty-server | Not affected | ||
| Red Hat JBoss Fuse 6 | jetty | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty-server | Out of support scope |
Показывать по
Дополнительная информация
Статус:
3.5 Low
CVSS3
Связанные уязвимости
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exce ...
SessionListener can prevent a session from being invalidated breaking logout
Уязвимость метода SessionListener#sessionDestroyed() контейнера сервлетов Eclipse Jetty, позволяющая нарушителю повысить свои привилегии
3.5 Low
CVSS3