Vulnerability CVE-2017-7658 - CERT Civis.Net

Vulnerability Name:

CVE-2017-7658 (CCN-145522)

Assigned:

2017-04-11

Published:

2018-06-25

Updated:

2021-07-20

Summary:

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2017-7658

Source: CCN
Type: Jetty Mailing List, Mon, 25 Jun 2018 12:17:08 -0400
Jetty CVE Announcement - June 2018

Source: CCN
Type: Eclipse Web site
Eclipse Jetty

Source: CCN
Type: Oracle CPUJan2019
Oracle Critical Patch Update Advisory - January 2019

Source: BID
Type: Third Party Advisory, VDB Entry
106566

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041194

Source: CONFIRM
Type: Third Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669

Source: XF
Type: UNKNOWN
eclipse-cve20177658-request-smuggling(145522)

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar

Source: MLIST
Type: Mailing List, Third Party Advisory
[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Source: MLIST
Type: UNKNOWN
[druid-commits] 20210304 [GitHub] [druid] suneet-s commented on issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty

Source: MLIST
Type: UNKNOWN
[druid-commits] 20210304 [GitHub] [druid] suneet-s closed issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20210226 [GitHub] [druid] kingnj opened a new issue #10926: Hello, are there any plans to fix the CVE-2017-7657 and CVE-2017-7658 vulnerabilities of Jetty

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20181014-0001/

Source: CONFIRM
Type: Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us

Source: DEBIAN
Type: Third Party Advisory
DSA-4278

Source: CCN
Type: IBM Security Bulletin 0728823 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 732816 (InfoSphere Information Server)
Vulnerabilities in Eclipse Jetty affect the IBM InfoSphere Information Server installers

Source: CCN
Type: IBM Security Bulletin 733987 (Netcool Agile Service Manager)
IBM Netcool Agile Service Manager is affected by Eclipse Jetty vulnerabilities

Source: CCN
Type: IBM Security Bulletin 0792111 (Sterling Secure Proxy)
Multiple Vulnerabilities affect IBM Sterling Secure Proxy

Source: CCN
Type: IBM Security Bulletin 792117 (Sterling Secure Proxy)
Multiple Vulnerabilities affect IBM Sterling External Authentication Server

Source: CCN
Type: IBM Security Bulletin 794721 (UrbanCode Deploy)
Publicly Disclosed Vulnerability Found By vFinder (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536)

Source: CCN
Type: IBM Security Bulletin 6202751 (eDiscovery Analyzer)
Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer

Source: CCN
Type: IBM Security Bulletin 6320063 (Security Guardium Insights)
IBM Security Guardium Insights is affected by a Components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6344071 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6466729 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6602025 (Tivoli Netcool/OMNIbus)
Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6621343 (Control Desk)
Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk.

Source: CCN
Type: IBM Security Bulletin 6854577 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005945 (Storage Protect)
IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty

Source: CCN
Type: Oracle CPUOct2020
Oracle Critical Patch Update Advisory - October 2020

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: CONFIRM
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-7658

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.0 and < 9.4.11)

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.3.0 and < 9.3.24)

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version <= 9.2.26)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*

OR cpe:/a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*

OR cpe:/a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*

OR cpe:/a:oracle:rest_data_services:18c:*:*:*:-:*:*:*

OR cpe:/a:oracle:retail_xstore_payment:3.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:hp:xp_p9000_command_view:*:*:*:*:advanced:*:*:* (Version >= 8.4.0-00 and <= 8.6.2-00)

AND

cpe:/h:hp:xp_p9000:-:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:netapp:e-series_santricity_management:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.50.1)

OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:hci_storage_node:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.1.3)

OR cpe:/a:netapp:oncommand_unified_manager_for_7-mode:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*

OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*

OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:storage_services_connector:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.2.0:20140526:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:*

AND

cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:-:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:3.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:3.4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.1.3.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:netcool_agile_service_manager:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:netcool_agile_service_manager:1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:control_desk:7.6.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.xenial:def:201776580000000	V	CVE-2017-7658 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-26
oval:com.ubuntu.artful:def:20177658000	V	CVE-2017-7658 on Ubuntu 17.10 (artful) - medium.	2018-06-26
oval:com.ubuntu.xenial:def:20177658000	V	CVE-2017-7658 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-26
oval:com.ubuntu.disco:def:201776580000000	V	CVE-2017-7658 on Ubuntu 19.04 (disco) - low.	2018-06-26
oval:com.ubuntu.bionic:def:20177658000	V	CVE-2017-7658 on Ubuntu 18.04 LTS (bionic) - low.	2018-06-26
oval:com.ubuntu.cosmic:def:201776580000000	V	CVE-2017-7658 on Ubuntu 18.10 (cosmic) - low.	2018-06-26
oval:com.ubuntu.cosmic:def:20177658000	V	CVE-2017-7658 on Ubuntu 18.10 (cosmic) - low.	2018-06-26
oval:com.ubuntu.bionic:def:201776580000000	V	CVE-2017-7658 on Ubuntu 18.04 LTS (bionic) - low.	2018-06-26
oval:com.ubuntu.trusty:def:20177658000	V	CVE-2017-7658 on Ubuntu 14.04 LTS (trusty) - low.	2018-06-26