CVE-2015-2080
Information Disclosure vulnerability in jetty-server (Maven)
What is CVE-2015-2080 About?
This vulnerability, known as JetLeak, affects Eclipse Jetty prior to 9.2.9.v20150224 and allows remote attackers to obtain sensitive information. It occurs due to flaws in exception handling when processing illegal characters in HTTP headers. Exploitation is moderately difficult, requiring specific crafted input to trigger memory disclosure.
Affected Software
Technical Details
The JetLeak vulnerability in Eclipse Jetty arises from a defect in how the exception handling code processes malformed HTTP headers. When an HTTP header contains illegal characters, the server's error handling mechanism can inadvertently expose portions of its process memory. Specifically, the buffer used for processing these headers, or other related memory regions, might be dumped or partially included in the error response. This allows an attacker to send specially crafted HTTP requests with invalid characters in headers, triggering errors that leak sensitive information directly from the server's memory, such as session tokens, cryptographic keys, or other confidential data.
What is the Impact of CVE-2015-2080?
Successful exploitation may allow attackers to obtain sensitive information from process memory, potentially leading to further compromise, unauthorized access, or bypass of security controls.
What is the Exploitability of CVE-2015-2080?
Exploitation of JetLeak involves crafting HTTP requests with illegal characters in the header fields to trigger specific error handling paths in Jetty. The complexity is moderate, requiring an understanding of HTTP parsing and server error responses. No authentication or specific privileges are required, as the attack targets the parsing of HTTP headers, which occurs before authentication. This is a remote vulnerability, as the attacker sends crafted requests over the network. Special conditions involve the server running a vulnerable version of Eclipse Jetty and being accessible to the attacker. The likelihood of exploitation is increased if the server handles untrusted HTTP requests directly and improper logging or error reporting is not filtered, inadvertently exposing memory contents.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-2080?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.2.9.v20150224 → Upgrade to 9.2.9.v20150224
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html
- http://www.securityfocus.com/archive/1/534755/100/1600/threaded
- http://www.securityfocus.com/bid/72768
- https://security.netapp.com/advisory/ntap-20190307-0005
- http://www.securitytracker.com/id/1031800
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
- http://seclists.org/fulldisclosure/2015/Mar/12
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
- https://security.netapp.com/advisory/ntap-20190307-0005/
What are Similar Vulnerabilities to CVE-2015-2080?
Similar Vulnerabilities: CVE-2014-0160 , CVE-2015-8120 , CVE-2018-1273 , CVE-2019-17558 , CVE-2014-2525
