Vulnerability Name: CVE-2017-9735 (CCN-127842) Assigned: 2017-06-15 Published: 2017-06-15 Updated: 2022-03-15 Summary: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N )6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N )6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-203 Vulnerability Consequences: Obtain Information References: Source: MITRE Type: CNACVE-2017-9735 Source: CCN Type: Eclipse Web siteJetty Source: CCN Type: IBM Security Bulletin 2006457 (Development Package for Apache Spark)IBM Development Package for Apache Spark is affected by an Eclipse Jetty vulnerability Source: CCN Type: IBM Security Bulletin 2009537 (InfoSphere Information Server)A vulnerability in Eclipse Jetty affects the IBM InfoSphere Information Server installers Source: BID Type: Third Party Advisory, VDB Entry99104 Source: CCN Type: BID-99104Jetty CVE-2017-9735 Security Bypass Vulnerability Source: MISC Type: Issue Tracking, Mailing List, Third Party Advisoryhttps://bugs.debian.org/864631 Source: XF Type: UNKNOWNjetty-cve20179735-info-disc(127842) Source: CCN Type: Jetty GIT RepositoryA timing channel in Password.java #1556 Source: MISC Type: Issue Tracking, Patch, Third Party Advisoryhttps://github.com/eclipse/jetty.project/issues/1556 Source: MLIST Type: Mailing List, Third Party Advisory[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar Source: MLIST Type: Mailing List, Third Party Advisory[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade Source: MLIST Type: Mailing List, Third Party Advisory[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities Source: MLIST Type: Mailing List, Third Party Advisory[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade Source: MLIST Type: Mailing List, Third Party Advisory[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities Source: MLIST Type: Mailing List, Third Party Advisory[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 Source: MLIST Type: Mailing List, Third Party Advisory[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update Source: CCN Type: IBM Security Bulletin 2006083 (Content Classification)IBM Content Classification is affected by an Open Source Eclipse Jetty Vulnerabilities Source: CCN Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Source: CCN Type: IBM Security Bulletin 6344071 (QRadar SIEM)IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6466729 (Cognos Analytics)IBM Cognos Analytics has addressed multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6621343 (Control Desk)Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. Source: CCN Type: IBM Security Bulletin 7005945 (Storage Protect)IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty Source: N/A Type: Third Party AdvisoryN/A Source: CCN Type: Oracle CPUJul2021Oracle Critical Patch Update Advisory - July 2021 Source: MISC Type: Third Party Advisoryhttps://www.oracle.com/security-alerts/cpuoct2020.html Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2017-9735 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version < 9.2.22)OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.3.0 and < 9.3.20) OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.0 and < 9.4.6) Configuration 2 :cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:communications_cloud_native_core_policy:1.5.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* OR cpe:/a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:18c:*:*:*:-:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:* AND cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:content_classification:8.8:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:* OR cpe:/a:ibm:control_desk:7.6.1:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
eclipse jetty *
eclipse jetty *
eclipse jetty *
debian debian linux 9.0
oracle communications cloud native core policy 1.5.0
oracle enterprise manager base platform 13.2
oracle enterprise manager base platform 13.3
oracle hospitality guest access 4.2.0
oracle hospitality guest access 4.2.1
oracle rest data services 11.2.0.4
oracle rest data services 12.1.0.2
oracle rest data services 12.2.0.1
oracle rest data services 18c
oracle retail xstore point of service 7.1
oracle retail xstore point of service 15.0
oracle retail xstore point of service 16.0
oracle retail xstore point of service 17.0
eclipse jetty 9.4.5 20180619
ibm infosphere information server 9.1
ibm content classification 8.8
ibm infosphere information server 11.3
ibm infosphere information server 11.5
ibm cognos analytics 11.0
ibm qradar security information and event manager 7.3.0
ibm cognos analytics 11.1
ibm security guardium data encryption 3.0.0.2
ibm qradar security information and event manager 7.3.3 p4
ibm qradar security information and event manager 7.4.0
ibm qradar security information and event manager 7.4.1 -
ibm control desk 7.6.1