CVE-2017-9735
Published: 16 June 2017
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
From the Ubuntu Security Team
It was discovered that Jetty incorrectly handled rejection of passwords. An attacker could use this issue to possibly obtain sensitive information via timing side-channel attack.
Priority
Status
Package | Release | Status |
---|---|---|
jetty Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
trusty |
Released
(6.1.26-1ubuntu1.2)
|
|
upstream |
Released
(6.1.26-1+deb7u1)
|
|
xenial |
Released
(6.1.26-5ubuntu0.1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
jetty8 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Released
(8.1.3-4+deb7u1)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Does not exist
|
|
jetty9 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(9.2.23-1)
|
|
cosmic |
Not vulnerable
(9.2.26-1)
|
|
disco |
Not vulnerable
(9.2.26-1)
|
|
eoan |
Not vulnerable
(9.2.26-1)
|
|
focal |
Not vulnerable
(9.2.26-1)
|
|
groovy |
Not vulnerable
(9.2.26-1)
|
|
hirsute |
Not vulnerable
(9.2.26-1)
|
|
impish |
Not vulnerable
(9.2.26-1)
|
|
jammy |
Not vulnerable
(9.2.26-1)
|
|
kinetic |
Not vulnerable
(9.2.26-1)
|
|
lunar |
Not vulnerable
(9.2.26-1)
|
|
mantic |
Not vulnerable
(9.2.26-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(9.2.22-1)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02 upstream: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58 upstream: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- https://github.com/eclipse/jetty.project/issues/1556
- https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02
- https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58
- https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea
- https://bugs.debian.org/864631
- https://www.cve.org/CVERecord?id=CVE-2017-9735
- NVD
- Launchpad
- Debian