CVE-2021-34428
First published: Tue Jun 22 2021(Updated: )
Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() method. By gaining access to the application on the shared computer, an attacker could exploit this vulnerability to bypass access restrictions.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.289.3.1630554997-1.el8 | 0:2.289.3.1630554997-1.el8 |
| IBM Cognos Command Center | <=10.2.4.1 | |
| debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
| redhat/jetty | <9.4.41 | 9.4.41 |
| redhat/jetty | <10.0.3 | 10.0.3 |
| redhat/jetty | <11.0.3 | 11.0.3 |
| Eclipse Jetty | <=9.4.40 | |
| Eclipse Jetty | >=10.0.0<=10.0.2 | |
| Eclipse Jetty | >=11.0.0<=11.0.2 | |
| Debian Debian Linux | =10.0 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| Netapp Element Plug-in For Vcenter Server | ||
| Netapp Santricity Cloud Connector | ||
| NetApp Snap Creator Framework | ||
| Netapp Snapmanager Sap | ||
| Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
| Oracle Communications Element Manager | =8.2.2 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Communications Session Report Manager | >=8.0.0.0<=8.2.4.0 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.4.0 | |
| Oracle REST Data Services | <21.3 | |
| Oracle Siebel Core - Automation | <=21.9 |
Remedy
Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/204227
- https://www.ibm.com/support/pages/node/6983274 (Advisory)
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1974892
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://github.com/eclipse/jetty.project/commit/087f486b4461746b4ded45833887b3ccb136ee85
- https://access.redhat.com/errata/RHSA-2021:3225
- https://access.redhat.com/security/cve/cve-2021-34428
- https://access.redhat.com/errata/RHSA-2021:3700
- https://access.redhat.com/errata/RHSA-2021:3758
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:5134
- https://bugzilla.redhat.com/show_bug.cgi?id=1974891
- https://www.cve.org/CVERecord?id=CVE-2021-34428 https://nvd.nist.gov/vuln/detail/CVE-2021-34428 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://github.com/eclipse/jetty.project/issues/6277
- https://security-tracker.debian.org/tracker/CVE-2021-34428
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-34428?
CVE-2021-34428 is a vulnerability in Eclipse Jetty that allows a physical attacker to bypass security restrictions caused by a session ID.
How severe is CVE-2021-34428?
CVE-2021-34428 has a severity rating of low, with a severity value of 3.5.
What is the affected software?
The affected software includes Eclipse Jetty versions up to 9.4.41, 10.0.3, and 11.0.3. It also affects Debian Jetty9 versions 9.4.16-0+deb10u1, 9.4.16-0+deb10u3, 9.4.39-3+deb11u2, 9.4.50-4+deb12u1, and 9.4.53-1.
How can I fix CVE-2021-34428?
To fix CVE-2021-34428, upgrade Eclipse Jetty to version 9.4.41, 10.0.3, or 11.0.3. If you're using Debian Jetty9, upgrade to one of the patched versions mentioned in the affected software list.
Where can I find more information about CVE-2021-34428?
You can find more information about CVE-2021-34428 in the references provided, including the GitHub security advisory, Red Hat Bugzilla report, and Red Hat support policy.
- collector/redhat-cve
- collector/ibm-support
- collector/security-tracker-debian
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-34428
- agent/software-canonical-lookup
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos command center
- version/ibm cognos command center/10.2.4.1
- package-manager/debian
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.4.40
- version/eclipse jetty/10.0.0
- version/eclipse jetty/10.0.2
- version/eclipse jetty/11.0.0
- version/eclipse jetty/11.0.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager windows
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp element plug-in for vcenter server
- canonical/netapp santricity cloud connector
- canonical/netapp snap creator framework
- canonical/netapp snapmanager sap
- vendor/oracle
- canonical/oracle autovue for agile product lifecycle management
- version/oracle autovue for agile product lifecycle management/21.0.2
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.2
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4.0
- canonical/oracle rest data services
- canonical/oracle siebel core - automation
- version/oracle siebel core - automation/21.9