Vulnerability Name: CVE-2021-34428 (CCN-204227) Assigned: 2021-06-22 Published: 2021-06-22 Updated: 2022-05-12 Summary: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. CVSS v3 Severity: 3.5 Low (CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.1 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): PhysicalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
3.2 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): PhysicalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 3.6 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
3.2 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-613 Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2021-34428 eclipse-cve202134428-sec-bypass(204227) SessionListener can prevent a session from being invalidated breaking logout https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6 [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 [kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41 [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 https://security.netapp.com/advisory/ntap-20210813-0003/ DSA-4949 IBM MQ is vulnerable to multiple Jetty vulnerabilities (CVE-2021-34428, CVE-2021-34429, CVE-2021-28169) An Eclipse Jetty vulnerability affects IBM Rational Functional Tester Vulnerability in Eclipse Jetty affects IBM Process Mining (Multiple CVEs) IBM MQ is vulnerable to multiple Eclipse Jetty issues IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty Vulnerabilities in Eclipse Jetty affect Rational Performance Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165) Vulnerabilities in Eclipse Jetty affect Rational Service Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165) IBM QRadar SIEM includes components with multiple known vulnerabilities Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2 Multiple Vulnerabilities in Rational Synergy 7.2.2.4 Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty IBM Cognos Command Center is affected by multiple vulnerabilities IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html CVE-2021-34428 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.0.2)OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.0.2) OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version <= 9.4.40) Configuration 2 :cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:* Configuration 3 :cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* OR cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:* OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.70.1) OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:* Configuration 4 :cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* (Version <= 21.9) OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0) OR cpe:/a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:rest_data_services:*:*:*:*:-:*:*:* (Version < 21.3) OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.4.0) Configuration CCN 1 :cpe:/a:eclipse:jetty:9.4.40:*:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:10.0.2:*:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:11.0.2:*:*:*:*:*:*:* AND cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:* OR cpe:/a:ibm:mq:9.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:* OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* BACK
eclipse jetty *
eclipse jetty *
eclipse jetty *
debian debian linux 10.0
netapp snap creator framework -
netapp santricity cloud connector -
netapp snapmanager -
netapp e-series santricity web services -
netapp active iq unified manager -
netapp active iq unified manager -
netapp e-series santricity os controller *
netapp element plug-in for vcenter server -
oracle communications services gatekeeper 7.0
oracle autovue for agile product lifecycle management 21.0.2
oracle siebel core - automation *
oracle communications session route manager *
oracle communications element manager 8.2.2
oracle rest data services *
oracle communications session report manager *
eclipse jetty 9.4.40
eclipse jetty 10.0.2
eclipse jetty 11.0.2
ibm infosphere information server 11.7
ibm qradar security information and event manager 7.3
ibm sterling b2b integrator 6.0.0.0
ibm cognos command center 10.2.4.1
ibm rational functional tester 9.5
ibm mq 9.0.0
ibm mq 9.1.0
ibm qradar security information and event manager 7.4 -
ibm rational service tester 9.5
ibm mq 9.2.0
ibm sterling b2b integrator 6.1.0.0
ibm sterling b2b integrator 6.1.1.0
ibm security verify governance 10.0
Denotes that component is vulnerable