Vulnerability Name: CVE-2017-7657 (CCN-145521) Assigned: 2017-04-11 Published: 2018-06-25 Updated: 2021-07-20 Summary: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-190 CWE-444 Vulnerability Consequences: Gain Access References: Source: MITRECVE-2017-7657 Jetty CVE Announcement - June 2018 Eclipse Jetty 1041194 RHSA-2019:0910 https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668 eclipse-cve20177657-request-smuggling(145521) [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image [druid-commits] 20210304 [GitHub] [druid] suneet-s commented on issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty [druid-commits] 20210304 [GitHub] [druid] suneet-s closed issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty [druid-commits] 20210226 [GitHub] [druid] kingnj opened a new issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty https://security.netapp.com/advisory/ntap-20181014-0001/ https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us DSA-4278 Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator Vulnerabilities in Eclipse Jetty affect the IBM InfoSphere Information Server installers IBM Netcool Agile Service Manager is affected by Eclipse Jetty vulnerabilities Multiple Vulnerabilities affect IBM Sterling Secure Proxy Multiple Vulnerabilities affect IBM Sterling External Authentication Server Publicly Disclosed Vulnerability Found By vFinder (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536) Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer IBM Security Guardium Insights is affected by a Components with known vulnerabilities Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities IBM Cognos Analytics has addressed multiple vulnerabilities Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs) Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty IBM Cognos Command Center is affected by multiple vulnerabilities IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html CVE-2017-7657 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.3.0 and < 9.3.24)OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.0 and < 9.4.11) OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version <= 9.2.26) Configuration 2 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:netapp:hci_storage_nodes:-:*:*:*:*:*:*:* OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.50.1) OR cpe:/a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:* (Version < 5.2.4) OR cpe:/a:netapp:snap_creator_framework:*:*:*:*:*:*:*:* (Version < 4.3.3) OR cpe:/a:netapp:snapcenter:*:*:*:*:*:*:*:* (Version < 4.1p3) OR cpe:/a:netapp:snapmanager:*:*:*:*:*:sap:*:* (Version < 3.4.2) OR cpe:/a:netapp:snapmanager:*:*:*:*:*:oracle:*:* (Version < 3.4.2) OR cpe:/a:netapp:e-series_santricity_management:-:*:*:*:*:*:*:* OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:*:*:* OR cpe:/a:netapp:element_software:-:*:*:*:*:*:*:* OR cpe:/a:netapp:element_software_management_node:-:*:*:*:*:*:*:* OR cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:* OR cpe:/a:netapp:oncommand_system_manager:3.x:*:*:*:*:*:*:* Configuration 4 :cpe:/a:hp:xp_p9000_command_view:*:*:*:*:advanced:*:*:* (Version >= 8.4.0-00 and < 8.6.2-00)AND cpe:/h:hp:xp_p9000:-:*:*:*:*:*:*:* Configuration 5 :cpe:/a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:18c:*:*:*:-:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.2.0:20140526:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:* AND cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:-:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:3.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.5:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.6:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.7:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.1.8:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:3.4.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.5.1:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.7:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.1.3.8:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool_agile_service_manager:1.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool_agile_service_manager:1.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:6.2.7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:7.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:7.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:7.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:urbancode_deploy:7.0.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:control_desk:7.6.1:*:*:*:*:*:*:* Oval Definitions BACK
eclipse jetty *
eclipse jetty *
eclipse jetty *
debian debian linux 9.0
netapp hci storage nodes -
netapp e-series santricity os controller *
netapp oncommand unified manager *
netapp snap creator framework *
netapp snapcenter *
netapp snapmanager *
netapp snapmanager *
netapp e-series santricity management -
netapp e-series santricity web services -
netapp element software -
netapp element software management node -
netapp santricity cloud connector -
netapp oncommand system manager 3.x
hp xp p9000 command view *
hp xp p9000 -
oracle rest data services 11.2.0.4
oracle rest data services 12.1.0.2
oracle rest data services 12.2.0.1
oracle rest data services 18c
oracle retail xstore point of service 7.1
oracle retail xstore point of service 15.0
oracle retail xstore point of service 16.0
oracle retail xstore point of service 17.0
eclipse jetty 9.4.0 20180619
eclipse jetty 9.2.0 20140526
eclipse jetty 9.3.0 20150612
ibm infosphere information server 9.1
ibm sterling b2b integrator -
ibm urbancode deploy 6.1.0.2
ibm infosphere information server 11.3
ibm tivoli netcool/omnibus 8.1.0
ibm urbancode deploy 6.1
ibm urbancode deploy 6.1.0.1
ibm urbancode deploy 6.1.0.3
ibm sterling secure proxy 3.4.2
ibm urbancode deploy 6.1.0.4
ibm urbancode deploy 6.1.1
ibm urbancode deploy 6.1.1.1
ibm urbancode deploy 6.1.1.2
ibm urbancode deploy 6.1.1.3
ibm urbancode deploy 6.1.1.4
ibm urbancode deploy 6.1.1.5
ibm urbancode deploy 6.1.1.6
ibm urbancode deploy 6.1.1.7
ibm urbancode deploy 6.1.2
ibm infosphere information server 11.5
ibm urbancode deploy 6.1.1.8
ibm urbancode deploy 6.1.3
ibm urbancode deploy 6.1.3.1
ibm urbancode deploy 6.2
ibm urbancode deploy 6.2.0.1
ibm urbancode deploy 6.1.3.2
ibm urbancode deploy 6.2.0.2
ibm urbancode deploy 6.2.1
ibm sterling secure proxy 3.4.3
ibm urbancode deploy 6.2.1.1
ibm urbancode deploy 6.1.3.3
ibm urbancode deploy 6.2.1.2
ibm urbancode deploy 6.2.2
ibm cognos analytics 11.0
ibm urbancode deploy 6.2.2.1
ibm urbancode deploy 6.2.3.0
ibm urbancode deploy 6.2.3.1
ibm urbancode deploy 6.1.3.4
ibm urbancode deploy 6.1.3.5
ibm urbancode deploy 6.2.4
ibm urbancode deploy 6.1.3.6
ibm urbancode deploy 6.2.4.1
ibm urbancode deploy 6.2.4.2
ibm urbancode deploy 6.2.5.1
ibm infosphere information server 11.7
ibm urbancode deploy 6.1.3.7
ibm urbancode deploy 6.1.3.8
ibm urbancode deploy 6.2.6.0
ibm urbancode deploy 6.2.6.1
ibm urbancode deploy 6.2.7.0
ibm sterling b2b integrator 5.2.0.1
ibm sterling b2b integrator 5.2.6.3
ibm urbancode deploy 6.2.7.1
ibm urbancode deploy 6.2.7.2
ibm netcool agile service manager 1.1.1
ibm netcool agile service manager 1.1.2
ibm qradar security information and event manager 7.3.0
ibm urbancode deploy 6.2.5.0
ibm urbancode deploy 6.2.7.3
ibm urbancode deploy 7.0.0.0
ibm urbancode deploy 7.0.0.1
ibm urbancode deploy 7.0.1.0
ibm urbancode deploy 7.0.1.1
ibm cognos command center 10.2.4.1
ibm cognos analytics 11.1
ibm security guardium insights 2.0.1
ibm security guardium data encryption 3.0.0.2
ibm qradar security information and event manager 7.3.3 p4
ibm qradar security information and event manager 7.4.0
ibm qradar security information and event manager 7.4.1 -
ibm security verify governance 10.0
ibm control desk 7.6.1
Denotes that component is vulnerable