CVE-2017-7657
Integer Overflow vulnerability in org.eclipse.jetty:jetty-server

What is CVE-2017-7657 About?

This Integer Overflow vulnerability in Eclipse Jetty, affecting versions 9.2.x and older, and 9.3.x, allows for authorization bypass due to mishandling of transfer-encoding chunks. A large chunk size can be misinterpreted, leading to subsequent data being processed as a pipelined request, thereby bypassing intermediary authorization. Exploitation requires specific intermediary server configurations.

Affected Software

Technical Details

The vulnerability in Eclipse Jetty server versions 9.2.x and older, and 9.3.x, stems from an integer overflow in the parsing of transfer-encoding chunk lengths. When a large chunk size is provided in the Transfer-Encoding header, an integer overflow can cause Jetty to interpret it as a much smaller chunk size. Consequently, the data exceeding this misinterpreted smaller chunk length, but still part of the original larger chunk, is not consumed as part of the current request body. Instead, this excess data is then interpreted by Jetty as a subsequent 'pipelined' request. If Jetty is deployed behind an intermediary (e.g., a reverse proxy or load balancer) that performs authorization and allows arbitrarily large chunks to pass through unchanged, this 'fake' pipelined request will bypass the intermediary's authorization since the intermediary only authorized the first part of the request.

What is the Impact of CVE-2017-7657?

Successful exploitation may allow attackers to bypass authorization controls, access restricted resources, and perform unauthorized actions on the web server or application by circumventing security mechanisms implemented by intermediary systems.

What is the Exploitability of CVE-2017-7657?

Exploiting this vulnerability involves crafting HTTP requests with a malformed Transfer-Encoding header, specifically a large chunk size designed to trigger an integer overflow. The complexity is moderate. No authentication is described as necessary, and the attack can be performed remotely. A critical prerequisite is the presence of an intermediary proxy or load balancer that handles HTTP chunks in a way that allows the malicious oversized chunk to pass through to Jetty, and where this intermediary also imposes authorization, making it susceptible to authorization bypass. The likelihood of exploitation is heightened if the intermediary's chunk processing differs from Jetty's and it does not validate chunk lengths, or if it is configured to pass through large, unverified chunked data.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2017-7657?

Available Upgrade Options

• org.eclipse.jetty:jetty-server
  • <9.2.25.v20180606 → Upgrade to 9.2.25.v20180606
• org.eclipse.jetty:jetty-server
  • >9.3.0, <9.3.24.v20180605 → Upgrade to 9.3.24.v20180605

Additional Resources

• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20181014-0001
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
• https://www.debian.org/security/2018/dsa-4278
• https://access.redhat.com/errata/RHSA-2019:0910

What are Similar Vulnerabilities to CVE-2017-7657?

Similar Vulnerabilities: CVE-2017-7658 , CVE-2022-29361 , CVE-2021-39237 , CVE-2020-13936 , CVE-2019-17558