CVE-2017-9735: Timing Channel Attack vulnerability in jetty-server (Maven)

What is CVE-2017-9735 About?

Jetty through 9.4.x contains a timing channel vulnerability in `util/security/Password.java`, allowing attackers to discern correct password characters based on the elapsed time before rejection. This can significantly aid in brute-force or dictionary attacks, making it easier for attackers to obtain unauthorized access. Exploitation requires repeated attempts and careful observation of response times.

Affected Software

org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.6.v20170531
- >9.3.0, <9.3.20.v20170531
- <9.2.22.v20170606

Technical Details

The vulnerability lies in the util/security/Password.java component of Jetty, specifically within the password verification logic. A timing difference exists in how the system processes correct versus incorrect characters in a password attempt. For instance, if an incorrect character is detected early in the password string, the verification process might terminate faster than if an incorrect character is detected later, or if the entire password is correct but does not match. By sending multiple password attempts and precisely measuring the response times, an attacker can infer which characters are correct or incorrect, thereby reducing the effective search space for the password and making brute-force attacks significantly more feasible.

What is the Impact of CVE-2017-9735?

Successful exploitation may allow attackers to significantly reduce the time needed to guess user credentials, leading to unauthorized access to accounts or systems.

What is the Exploitability of CVE-2017-9735?

Exploitation requires an attacker to repeatedly attempt to log in or submit passwords and accurately measure the time taken for the server to respond to each attempt. The complexity is medium, as it requires specialized tools and statistical analysis to reliably detect time differences, especially across network latency. Authentication is implicitly required for the login attempt itself, but the vulnerability works against the authentication mechanism. Privilege requirements are low, as anyone attempting to log in can exploit this. This is a remote vulnerability, as the attacker interacts with the server over a network. High network latency or server load can complicate exploitation, but consistent response times significantly increase the likelihood of success.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2017-9735?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch introduces constant-time comparison functions for strings and byte arrays in authentication and credential checks, replacing standard equals/equality checks that may be vulnerable to timing attacks. By doing so, it mitigates the risk of attackers exploiting timing discrepancies to guess valid credentials, thereby fixing the vulnerability described in CVE-2017-9735.

Available Upgrade Options

org.eclipse.jetty:jetty-server
- <9.2.22.v20170606 → Upgrade to 9.2.22.v20170606
org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.20.v20170531 → Upgrade to 9.3.20.v20170531
org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.6.v20170531 → Upgrade to 9.4.6.v20170531

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-9735?

Similar Vulnerabilities: CVE-2019-10081 , CVE-2019-10082 , CVE-2019-10083 , CVE-2019-10084 , CVE-2019-10085

CVE-2017-9735 Timing Channel Attack vulnerability in jetty-server (Maven)