CVE-2017-7658
HTTP Request Smuggling vulnerability in org.eclipse.jetty:jetty-server
What is CVE-2017-7658 About?
This HTTP Request Smuggling vulnerability in Eclipse Jetty Server can lead to authorization bypass. By manipulating HTTP headers, an attacker can trick an intermediary into forwarding unauthorized requests. Exploitation is moderately complex, requiring specific conditions regarding intermediary server behavior.
Affected Software
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.24.v20180605
- <9.2.25.v20180606
- >9.4.0, <9.4.11.v20180605
Technical Details
The vulnerability arises when Eclipse Jetty Server (versions 9.2.x and older, 9.3.x in non-HTTP/1.x configs, and 9.4.x in HTTP/1.x configs) is presented with two Content-Length headers or a Content-Length and a chunked encoding header. While RFC 2616 indicates ignoring Content-Length when chunked encoding is present, if an intermediary server processes the shorter Content-Length but passes the full body to Jetty, the remaining body content can be interpreted by Jetty as a pipelined request. This 'second' request bypasses authorization checks performed by the intermediary, as the intermediary only sees and authorizes the first, legitimate request.
What is the Impact of CVE-2017-7658?
Successful exploitation may allow attackers to bypass authorization controls, access restricted resources, and perform unauthorized actions on the web server or application.
What is the Exploitability of CVE-2017-7658?
Exploitation of this vulnerability is complex, requiring precise manipulation of HTTP headers and specific behavior from an intermediary server. Attackers would need to craft requests with conflicting Content-Length headers or a combination of Content-Length and Transfer-Encoding: chunked. No authentication is required, and access can be remote. The primary prerequisite is the presence of an intermediary proxy or load balancer that interprets HTTP headers differently from the backend Jetty server and performs authorization checks that can be circumvented by a 'fake' pipelined request. The likelihood of exploitation increases if an intermediary is not RFC-compliant in handling malformed HTTP requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-7658?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.2.25.v20180606 → Upgrade to 9.2.25.v20180606
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.24.v20180605 → Upgrade to 9.3.24.v20180605
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.11.v20180605 → Upgrade to 9.4.11.v20180605
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://www.debian.org/security/2018/dsa-4278
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
What are Similar Vulnerabilities to CVE-2017-7658?
Similar Vulnerabilities: CVE-2019-17558 , CVE-2023-38546 , CVE-2023-45803 , CVE-2021-26297 , CVE-2019-0232
