CVE-2017-7656
HTTP Request Smuggling vulnerability in jetty-server (Maven)
What is CVE-2017-7656 About?
This vulnerability is an HTTP Request Smuggling flaw in Eclipse Jetty, affecting several versions and configurations. It can lead to severe issues like cache poisoning by allowing an attacker to manipulate how HTTP requests are parsed by proxies and backend servers. Exploitation is complex but highly impactful, especially in environments with proxy servers.
Affected Software
- org.eclipse.jetty:jetty-server
- <9.3.24.v20180605
- >9.4.0, <9.4.11.v20180605
Technical Details
Eclipse Jetty, in versions 9.2.x and older, all 9.3.x configurations, and 9.4.x with RFC2616 compliance enabled, is susceptible to an HTTP Request Smuggling vulnerability. This occurs due to inconsistencies in how different HTTP processors (e.g., a frontend proxy and the Jetty backend server) interpret HTTP message boundaries. An attacker can use specially crafted HTTP requests that exploit differences in Content-Length and Transfer-Encoding headers. This allows them to 'smuggle' a second, hidden HTTP request within the first. When processed by a proxy/cache, only the first request might be seen, but the backend Jetty server processes the smuggled request, leading to requests being de-synchronized, and potentially executing arbitrary requests, such as cache poisoning or bypassing security controls.
What is the Impact of CVE-2017-7656?
Successful exploitation may allow attackers to bypass security controls, poison web caches, gain unauthorized access to backend resources, or conduct cross-site scripting (XSS) attacks through cache poisoning.
What is the Exploitability of CVE-2017-7656?
Exploitation of HTTP Request Smuggling is generally complex, requiring a deep understanding of HTTP parsing and the specific behavior of proxy servers and the Jetty server in question. No authentication is required, as the attack occurs at the HTTP protocol layer. Privilege requirements are low, as an unauthenticated attacker can initiate the attack. This is a remote attack vector. Special conditions include the presence of an intermediate proxy or load balancer that interprets HTTP messages differently from the backend Jetty server, and specific Jetty versions and configurations (e.g., RFC2616 compliance enabled in 9.4.x). The likelihood of exploitation increases in complex network architectures involving multiple HTTP proxies/caches, especially if they are not strictly compliant with modern HTTP standards or have known parsing discrepancies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-7656?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.3.24.v20180605 → Upgrade to 9.3.24.v20180605
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.11.v20180605 → Upgrade to 9.4.11.v20180605
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://security.netapp.com/advisory/ntap-20181014-0001
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://osv.dev/vulnerability/GHSA-84q7-p226-4x5w
- https://www.debian.org/security/2018/dsa-4278
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
What are Similar Vulnerabilities to CVE-2017-7656?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2024-27909 , CVE-2024-28876 , CVE-2024-2499 , CVE-2024-3366
