Using a vulnerable version of the Jetty web server can lead to the compromise of sensitive data including data passed within headers (e.g. cookies, authentication tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by the web server.
The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks from a previous exchange depending on the attacker’s payload offset.
Are You Vulnerable?
This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases (including the beta releases of 9.3.x) are vulnerable.
GDS have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below:
If running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately.
Organizations should also be aware that Jetty might be bundled within third party products. GDS recommends referring to the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available.
We have encountered cases where development teams use Jetty as a light-weight replacement for app servers such as Tomcat for internal testing. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.
The latest release of the Jetty HTTP server is available for download at the following locations:
A thorough technical analysis of the vulnerability is available on the GDS blog at:
Jetty Vulnerability Announcement:
Jetty Vulnerability Advisory:
Stephen Komal from Gotham Digital Science for discovering the bug.