CVE-2017-7657

NameCVE-2017-7657
DescriptionIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4278-1
NVD severityhigh (attack range: remote)
Debian Bugs902953

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty (PTS)jessie6.1.26-4vulnerable
jetty8 (PTS)jessie8.1.16-4vulnerable
jetty9 (PTS)stretch9.2.21-1vulnerable
stretch (security)9.2.21-1+deb9u1fixed
buster, sid9.2.26-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jettysource(unstable)(unfixed)high
jetty8source(unstable)(unfixed)high
jetty9source(unstable)9.2.25-1low902953
jetty9sourcestretch9.2.21-1+deb9u1highDSA-4278-1

Notes

[jessie] - jetty <ignored> (very hard to exploit, complex patch)
[jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
https://github.com/eclipse/jetty.project/commit/a285deea

Search for package or bug name: Reporting problems