Security update for jetty-minimal SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2005-1 Final 1 1 2021-07-11T08:05:38Z current 2021-07-11T08:05:38Z 2021-07-11T08:05:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jetty-minimal This update for jetty-minimal fixes the following issues: Update to version 9.4.42.v20210604 - Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory - Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408 - Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs - Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2005 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ E-Mail link for openSUSE-SU-2021:2005-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184366 SUSE Bug 1184366 https://bugzilla.suse.com/1184367 SUSE Bug 1184367 https://bugzilla.suse.com/1184368 SUSE Bug 1184368 https://bugzilla.suse.com/1187117 SUSE Bug 1187117 https://www.suse.com/security/cve/CVE-2021-28163/ SUSE CVE CVE-2021-28163 page https://www.suse.com/security/cve/CVE-2021-28164/ SUSE CVE CVE-2021-28164 page https://www.suse.com/security/cve/CVE-2021-28165/ SUSE CVE CVE-2021-28165 page https://www.suse.com/security/cve/CVE-2021-28169/ SUSE CVE CVE-2021-28169 page openSUSE Leap 15.3 jetty-annotations-9.4.42-3.9.1 jetty-client-9.4.42-3.9.1 jetty-continuation-9.4.42-3.9.1 jetty-http-9.4.42-3.9.1 jetty-io-9.4.42-3.9.1 jetty-jaas-9.4.42-3.9.1 jetty-javax-websocket-client-impl-9.4.42-3.9.1 jetty-javax-websocket-server-impl-9.4.42-3.9.1 jetty-jmx-9.4.42-3.9.1 jetty-jndi-9.4.42-3.9.1 jetty-jsp-9.4.42-3.9.1 jetty-minimal-javadoc-9.4.42-3.9.1 jetty-openid-9.4.42-3.9.1 jetty-plus-9.4.42-3.9.1 jetty-proxy-9.4.42-3.9.1 jetty-security-9.4.42-3.9.1 jetty-server-9.4.42-3.9.1 jetty-servlet-9.4.42-3.9.1 jetty-util-9.4.42-3.9.1 jetty-util-ajax-9.4.42-3.9.1 jetty-webapp-9.4.42-3.9.1 jetty-websocket-api-9.4.42-3.9.1 jetty-websocket-client-9.4.42-3.9.1 jetty-websocket-common-9.4.42-3.9.1 jetty-websocket-javadoc-9.4.42-3.9.1 jetty-websocket-server-9.4.42-3.9.1 jetty-websocket-servlet-9.4.42-3.9.1 jetty-xml-9.4.42-3.9.1 jetty-annotations-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-client-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-continuation-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-http-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-io-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-jaas-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-javax-websocket-client-impl-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-javax-websocket-server-impl-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-jmx-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-jndi-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-jsp-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-minimal-javadoc-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-openid-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-plus-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-proxy-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-security-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-server-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-servlet-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-util-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-util-ajax-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-webapp-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-api-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-client-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-common-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-javadoc-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-server-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-websocket-servlet-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 jetty-xml-9.4.42-3.9.1 as a component of openSUSE Leap 15.3 In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. CVE-2021-28163 openSUSE Leap 15.3:jetty-annotations-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-continuation-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-http-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-io-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jaas-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-client-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-server-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jmx-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jndi-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jsp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-minimal-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-openid-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-plus-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-proxy-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-security-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-ajax-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-webapp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-api-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-common-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-xml-9.4.42-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ https://www.suse.com/security/cve/CVE-2021-28163.html CVE-2021-28163 https://bugzilla.suse.com/1184366 SUSE Bug 1184366 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28164 openSUSE Leap 15.3:jetty-annotations-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-continuation-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-http-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-io-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jaas-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-client-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-server-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jmx-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jndi-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jsp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-minimal-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-openid-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-plus-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-proxy-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-security-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-ajax-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-webapp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-api-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-common-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-xml-9.4.42-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ https://www.suse.com/security/cve/CVE-2021-28164.html CVE-2021-28164 https://bugzilla.suse.com/1184368 SUSE Bug 1184368 https://bugzilla.suse.com/1188438 SUSE Bug 1188438 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28165 openSUSE Leap 15.3:jetty-annotations-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-continuation-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-http-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-io-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jaas-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-client-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-server-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jmx-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jndi-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jsp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-minimal-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-openid-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-plus-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-proxy-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-security-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-ajax-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-webapp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-api-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-common-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-xml-9.4.42-3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ https://www.suse.com/security/cve/CVE-2021-28165.html CVE-2021-28165 https://bugzilla.suse.com/1184367 SUSE Bug 1184367 For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28169 openSUSE Leap 15.3:jetty-annotations-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-continuation-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-http-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-io-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jaas-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-client-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-javax-websocket-server-impl-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jmx-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jndi-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-jsp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-minimal-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-openid-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-plus-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-proxy-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-security-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-util-ajax-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-webapp-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-api-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-client-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-common-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-javadoc-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-server-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-websocket-servlet-9.4.42-3.9.1 openSUSE Leap 15.3:jetty-xml-9.4.42-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ https://www.suse.com/security/cve/CVE-2021-28169.html CVE-2021-28169 https://bugzilla.suse.com/1187117 SUSE Bug 1187117