From ca5165bd065c5a3bf7c150918eebe66f5dddb3b6 Mon Sep 17 00:00:00 2001 From: Chris Walker Date: Tue, 13 Oct 2020 12:08:57 -0500 Subject: [PATCH] Updating security reports to reference project page --- .../reference/contributing/chapter.adoc | 1 - .../reference/contributing/security.adoc | 32 ---- .../troubleshooting/security-reports.adoc | 148 ++---------------- 3 files changed, 11 insertions(+), 170 deletions(-) delete mode 100644 jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc diff --git a/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc b/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc index 7a2b3e8188ec..0e5c8108cc99 100644 --- a/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc +++ b/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc @@ -28,6 +28,5 @@ include::source-build.adoc[] include::coding-standards.adoc[] include::bugs.adoc[] include::patches.adoc[] -include::security.adoc[] include::releasing-jetty.adoc[] include::release-testing.adoc[] diff --git a/jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc b/jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc deleted file mode 100644 index aa3c79fb28b8..000000000000 --- a/jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc +++ /dev/null @@ -1,32 +0,0 @@ -// -// ======================================================================== -// Copyright (c) 1995-2020 Mort Bay Consulting Pty Ltd and others. -// ======================================================================== -// All rights reserved. This program and the accompanying materials -// are made available under the terms of the Eclipse Public License v1.0 -// and Apache License v2.0 which accompanies this distribution. -// -// The Eclipse Public License is available at -// http://www.eclipse.org/legal/epl-v10.html -// -// The Apache License v2.0 is available at -// http://www.opensource.org/licenses/apache2.0.php -// -// You may elect to redistribute this code under either of these licenses. -// ======================================================================== -// - -[[security-reporting]] -=== Reporting Security Issues - -There are a number of avenues for reporting security issues to the Jetty project available. -If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged. -The most direct method is to mail _security@webtide.com_. -Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method. -We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances. - -If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_. - -If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine. - -We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as _private_. diff --git a/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc b/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc index 484a3a5dbdf4..a652b69b2812 100644 --- a/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc +++ b/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc @@ -19,147 +19,21 @@ [[security-reports]] === Jetty Security Reports -The following sections provide information about Jetty security issues. +==== List of Security Reports -If you would like to report a security issue please follow these link:#security-reporting[instructions]. +A current list of Jetty security reports can be viewed on the link:https://www.eclipse.org/jetty/security-reports.htmlhttps://www.eclipse.org/jetty/security-reports.html[Project Home Page.] -.Resolved Issues -[width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",] -|======================================================================= -|yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment +==== Reporting Security Issues -|2019/08/13 |CVE-2019-9518 |Med |Med |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518[Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.] +There are a number of avenues for reporting security issues to the Jetty project available. -|2019/08/13 |CVE-2019-9516 |Med |Med |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516[Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.] +If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged. +The most direct method is to mail _security@webtide.com_. +Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method. +We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances. -|2019/08/13 |CVE-2019-9515 |Med |Med |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515[Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.] +If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_. -|2019/08/13 |CVE-2019-9514 |Med |Med |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514[Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.] +If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine. -|2019/08/13 |CVE-2019-9512 |Low |Low |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512[Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.] - -|2019/08/13 |CVE-2019-9511 |Low |Low |< = 9.4.20 |9.4.21 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511[Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.] - -|2019/04/11 |CVE-2019-10247 |Med |Med |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247[If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.] - -|2019/04/11 |CVE-2019-10246 |High |High |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.] - -|2019/04/11 |CVE-2019-10241 |High |High |< = 9.4.15 |9.2.27, 9.3.26, 9.4.16 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing.] - -|2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.] - -|2018/06/25 |CVE-2018-12536 |High |See https://cwe.mitre.org/data/definitions/209.html[CWE-202] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536[`InvalidPathException` Message reveals webapp system path.] - -|2018/06/25 |CVE-2017-7658 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658[Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.] - -|2018/06/25 |CVE-2017-7657 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657[HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).] - -|2018/06/25 |CVE-2017-7656 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11 -|https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656[HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).] - -|2016/05/31 |CVE-2016-4800 |high |high |>= 9.3.0, < = 9.3.8 |9.3.9 -|http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.] - -|2015/02/24 |http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[CVE-2015-2080] |high |high |>=9.2.3 <9.2.9 |9.2.9 -|JetLeak exposure of past buffers during HttpParser error - -|2013/11/27 |http://en.securitylab.ru/lab/PT-2013-65[PT-2013-65] |medium -|high |>=9.0.0 <9.0.5 |9.0.6 -https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] |Alias checking disabled by NTFS errors on Windows. - -|2013/07/24 -|https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] |low -|medium |>=7.6.9 <9.0.5 |7.6.13,8.1.13,9.0.5 -https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] -|Constraints bypassed if Unix symlink alias checker used on Windows. - -|2011/12/29 -|http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461] -|high |medium |All versions |7.6.0.RCO -https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638[Jetty-367638] -|Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000). - -|2009/11/05 -|http://www.kb.cert.org/vuls/id/120541[CERT2011-003] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555[CERT2011-003] -|medium |high |JVM<1.6u19 |jetty-7.01.v20091125, jetty-6.1.22 |Work -around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 -setAllowRenegotiate(true) may be called on connectors. - -|2009/06/18 |Jetty-1042 |low -|high |< = 6.1.18, < = 7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between -requests sharing a connection. - -|2009/04/30 |http://www.kb.cert.org/vuls/id/402580[CERT402580] |medium -|high |< = 6.1.16, < = 7.0.0.M2 a| -5.1.15, 6.1.18, 7.0.0.M2 - -Jetty-1004 - - |View arbitrary disk content in some specific configurations. - -|2007/12/22 -|http://www.kb.cert.org/vuls/id/553235[CERT553235] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672[CVE-2007-6672] -|high |medium |6.1.rrc0-6.1.6 a| -6.1.7 - -CERT553235 - - |Static content visible in WEB-INF and past security constraints. - -|2007/11/05 -|http://www.kb.cert.org/vuls/id/438616[CERT438616] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614[CVE-2007-5614] -|low |low |<6.1.6 |6.1.6rc1 (patch in CVS for jetty5) |Single quote in -cookie name. - -|2007/11/05 -|http://www.kb.cert.org/vuls/id/237888[CERT237888>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613[CVE-2007-5613] -|low |low |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |XSS in demo dup -servlet. - -|2007/11/03 |http://www.kb.cert.org/vuls/id/212984[CERT212984 ->] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615[CVE-2007-5615] -|medium |medium |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |CRLF -Response splitting. - -|2006/11/22 -|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969[CVE-2006-6969] -|low |high |<6.1.0, <6.0.2, <5.1.12, <4.2.27 |6.1.0pre3, 6.0.2, 5.1.12, -4.2.27 |Session ID predictability. - -|2006/06/01 -|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759[CVE-2006-2759] -|medium |medium |<6.0.*, <6.0.0Beta17 |6.0.0Beta17 |JSP source -visibility. - -|2006/01/05 | |medium |medium |<5.1.10 |5.1.10 |Fixed //security -constraint bypass on Windows. - -|2005/11/18 -|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758[CVE-2006-2758] -|medium |medium |<5.1.6 |5.1.6, 6.0.0Beta4 |JSP source visibility. - -|2004/02/04 |JSSE 1.0.3_01 |medium |medium |<4.2.7 |4.2.7 |Upgraded JSSE -to obtain downstream security fix. - -|2002/09/22 | |high |high |<4.1.0 |4.1.0 |Fixed CGI servlet remove -exploit. - -|2002/03/12 | |medium | |<3.1.7 |4.0.RC2, 3.1.7 |Fixed // security -constraint bypass. - -|2001/10/21 |medium | |high |<3.1.3 |3.1.3 |Fixed trailing null security -constraint bypass. -|======================================================================= +We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it currently has *no* facility to tag issues as _private_.