CVE-2017-9735

Published: 16 June 2017

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

From the Ubuntu security team

It was discovered that Jetty incorrectly handled rejection of passwords. An attacker could use this issue to possibly obtain sensitive information via timing side-channel attack.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
jetty
Launchpad, Ubuntu, Debian
Upstream
Released (6.1.26-1+deb7u1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (6.1.26-5ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (6.1.26-1ubuntu1.2)
jetty8
Launchpad, Ubuntu, Debian
Upstream
Released (8.1.3-4+deb7u1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

jetty9
Launchpad, Ubuntu, Debian
Upstream
Released (9.2.22-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(9.2.26-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(9.2.26-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(9.2.23-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02
Upstream: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58
Upstream: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea