CVE-2017-7657: Integer Overflow
First published: Tue Jun 26 2018(Updated: )
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jetty9 | 9.4.16-0+deb10u1 9.4.16-0+deb10u3 9.4.39-3+deb11u2 9.4.50-4+deb12u1 9.4.53-1 | |
| redhat/jetty | <9.3.24. | 9.3.24. |
| redhat/jetty | <9.4.11. | 9.4.11. |
| Mortbay Jetty | <=9.2.26 | |
| Mortbay Jetty | >=9.3.0<9.3.24 | |
| Mortbay Jetty | >=9.4.0<9.4.11 | |
| Debian Linux | =9.0 | |
| NetApp E-Series SANtricity Management for VMware vCenter | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.50.1 | |
| NetApp E-Series SANtricity Web Services | ||
| NetApp Management Services for Element Software | ||
| NetApp Element Software | ||
| NetApp HCI Storage Node | ||
| NetApp System Manager | =3.x | |
| NetApp OnCommand Unified Manager for Windows | <5.2.4 | |
| NetApp SANtricity Cloud Connector | ||
| NetApp Snap Creator Framework | <4.3.3 | |
| NetApp SnapCenter | <4.1p3 | |
| NetApp SnapManager for Oracle | <3.4.2 | |
| NetApp SnapManager for SAP | <3.4.2 | |
| HP StorageWorks Command View | >=8.4.0-00<8.6.2-00 | |
| HP XP P9000 | ||
| Oracle REST Data Services | =11.2.0.4 | |
| Oracle REST Data Services | =12.1.0.2 | |
| Oracle REST Data Services | =12.2.0.1 | |
| Oracle REST Data Services | =18c | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 | |
| IBM Global Data Engine | <=3.0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
- https://github.com/eclipse/jetty.project/commit/a285deea
- https://security-tracker.debian.org/tracker/CVE-2017-7657
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595622
- https://access.redhat.com/errata/RHSA-2019:0910
- https://access.redhat.com/security/updates/classification/
- https://bugzilla.redhat.com/show_bug.cgi?id=1595620
- http://www.securitytracker.com/id/1041194
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/145521
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is CVE-2017-7657?
CVE-2017-7657 is a vulnerability in Eclipse Jetty that allows for HTTP request smuggling due to improper handling of Chunked Transfer-Encoding.
What is the severity level of CVE-2017-7657?
The severity level of CVE-2017-7657 is critical.
How can I fix the CVE-2017-7657 vulnerability?
To fix the CVE-2017-7657 vulnerability, update to Eclipse Jetty version 9.3.24 or 9.4.11 (or newer) depending on your configuration.
Where can I find more information about CVE-2017-7657?
You can find more information about CVE-2017-7657 at the following references: [link1](https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595622), [link3](https://access.redhat.com/errata/RHSA-2019:0910)
What are the Common Weakness Enumerations (CWE) associated with CVE-2017-7657?
The Common Weakness Enumerations (CWE) associated with CVE-2017-7657 are CWE-190, CWE-444, and CWE-79.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/severity
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7657
- agent/software-canonical-lookup
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/debian
- package-manager/redhat
- vendor/eclipse
- canonical/mortbay jetty
- version/mortbay jetty/9.2.26
- version/mortbay jetty/9.3.0
- version/mortbay jetty/9.4.0
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- vendor/netapp
- canonical/netapp e-series santricity management for vmware vcenter
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.50.1
- canonical/netapp e-series santricity web services
- canonical/netapp management services for element software
- canonical/netapp element software
- canonical/netapp hci storage node
- canonical/netapp system manager
- version/netapp system manager/3.x
- canonical/netapp oncommand unified manager for windows
- canonical/netapp santricity cloud connector
- canonical/netapp snap creator framework
- canonical/netapp snapcenter
- canonical/netapp snapmanager for oracle
- canonical/netapp snapmanager for sap
- vendor/hp
- canonical/hp storageworks command view
- version/hp storageworks command view/8.4.0-00
- canonical/hp xp p9000
- vendor/oracle
- canonical/oracle rest data services
- version/oracle rest data services/11.2.0.4
- version/oracle rest data services/12.1.0.2
- version/oracle rest data services/12.2.0.1
- version/oracle rest data services/18c
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0
- vendor/ibm
- canonical/ibm global data engine
- version/ibm global data engine/3.0.0.2