Vulnerability Name:

CVE-2017-9735 (CCN-127842)

Assigned:2017-06-15
Published:2017-06-15
Updated:2022-03-15
Summary:Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-203
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2017-9735

Source: CCN
Type: Eclipse Web site
Jetty

Source: CCN
Type: IBM Security Bulletin 2006457 (Development Package for Apache Spark)
IBM Development Package for Apache Spark is affected by an Eclipse Jetty vulnerability

Source: CCN
Type: IBM Security Bulletin 2009537 (InfoSphere Information Server)
A vulnerability in Eclipse Jetty affects the IBM InfoSphere Information Server installers

Source: BID
Type: Third Party Advisory, VDB Entry
99104

Source: CCN
Type: BID-99104
Jetty CVE-2017-9735 Security Bypass Vulnerability

Source: MISC
Type: Issue Tracking, Mailing List, Third Party Advisory
https://bugs.debian.org/864631

Source: XF
Type: UNKNOWN
jetty-cve20179735-info-disc(127842)

Source: CCN
Type: Jetty GIT Repository
A timing channel in Password.java #1556

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/eclipse/jetty.project/issues/1556

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar

Source: MLIST
Type: Mailing List, Third Party Advisory
[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade

Source: MLIST
Type: Mailing List, Third Party Advisory
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade

Source: MLIST
Type: Mailing List, Third Party Advisory
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update

Source: CCN
Type: IBM Security Bulletin 2006083 (Content Classification)
IBM Content Classification is affected by an Open Source Eclipse Jetty Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6344071 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6466729 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6621343 (Control Desk)
Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk.

Source: CCN
Type: IBM Security Bulletin 7005945 (Storage Protect)
IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty

Source: N/A
Type: Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-9735

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version < 9.2.22)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.3.0 and < 9.3.20)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.0 and < 9.4.6)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/a:oracle:communications_cloud_native_core_policy:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
  • OR cpe:/a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
  • OR cpe:/a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
  • OR cpe:/a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:content_classification:8.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_desk:7.6.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:201797350000000
    V
    CVE-2017-9735 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-06-16
    oval:com.ubuntu.artful:def:20179735000
    V
    CVE-2017-9735 on Ubuntu 17.10 (artful) - medium.
    2017-06-16
    oval:com.ubuntu.xenial:def:20179735000
    V
    CVE-2017-9735 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-06-16
    oval:com.ubuntu.disco:def:201797350000000
    V
    CVE-2017-9735 on Ubuntu 19.04 (disco) - medium.
    2017-06-16
    oval:com.ubuntu.bionic:def:20179735000
    V
    CVE-2017-9735 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-06-16
    oval:com.ubuntu.cosmic:def:201797350000000
    V
    CVE-2017-9735 on Ubuntu 18.10 (cosmic) - medium.
    2017-06-16
    oval:com.ubuntu.cosmic:def:20179735000
    V
    CVE-2017-9735 on Ubuntu 18.10 (cosmic) - medium.
    2017-06-16
    oval:com.ubuntu.bionic:def:201797350000000
    V
    CVE-2017-9735 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-06-16
    oval:com.ubuntu.trusty:def:20179735000
    V
    CVE-2017-9735 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-06-16
    BACK
    eclipse jetty *
    eclipse jetty *
    eclipse jetty *
    debian debian linux 9.0
    oracle communications cloud native core policy 1.5.0
    oracle enterprise manager base platform 13.2
    oracle enterprise manager base platform 13.3
    oracle hospitality guest access 4.2.0
    oracle hospitality guest access 4.2.1
    oracle rest data services 11.2.0.4
    oracle rest data services 12.1.0.2
    oracle rest data services 12.2.0.1
    oracle rest data services 18c
    oracle retail xstore point of service 7.1
    oracle retail xstore point of service 15.0
    oracle retail xstore point of service 16.0
    oracle retail xstore point of service 17.0
    eclipse jetty 9.4.5 20180619
    ibm infosphere information server 9.1
    ibm content classification 8.8
    ibm infosphere information server 11.3
    ibm infosphere information server 11.5
    ibm cognos analytics 11.0
    ibm qradar security information and event manager 7.3.0
    ibm cognos analytics 11.1
    ibm security guardium data encryption 3.0.0.2
    ibm qradar security information and event manager 7.3.3 p4
    ibm qradar security information and event manager 7.4.0
    ibm qradar security information and event manager 7.4.1 -
    ibm control desk 7.6.1