CVE-2021-34428
Session Management vulnerability in jetty-server (Maven)
What is CVE-2021-34428 About?
This vulnerability occurs when an exception during session destruction prevents the session ID from being invalidated, potentially leaving user sessions active inappropriately. Its impact can lead to information disclosure or unauthorized access on shared computers. Exploitation relies on an application throwing a specific exception, making it difficult to trigger intentionally by an attacker.
Affected Software
- org.eclipse.jetty:jetty-server
- >11.0.0, <11.0.3
- <9.4.41
- >10.0.0, <10.0.3
Technical Details
The vulnerability arises in SessionListener#sessionDestroyed() implementations. If an exception is thrown during the execution of this method, the session ID is not invalidated within the session ID manager. In deployments utilizing clustered sessions and multiple contexts, this can lead to a session remaining active and not being properly destroyed. An attacker cannot directly induce such an exception; they must rely on an application's specific behavior to throw one (e.g., an IllegalStateException during getLastAccessedTime() as identified by the reporter). If such an application is deployed in a clustered environment, it may fail to log out users, potentially exposing their sessions.
What is the Impact of CVE-2021-34428?
Successful exploitation may allow attackers to maintain access to a user's session even after they have attempted to log out, leading to unauthorized data access or session hijacking on shared computing environments.
What is the Exploitability of CVE-2021-34428?
The exploitation of this vulnerability is indirect and highly dependent on the target application's implementation. There are no direct prerequisites for authentication to trigger the exception, but the vulnerability's impact relies on a logged-in user's session. It is a local vulnerability in the sense that the application itself must generate the exception during session destruction. Attackers cannot induce the exception directly but must rely on an application's internal error handling or design flaw. This makes it difficult to exploit intentionally, as it requires specific application behavior to be present. Risk factors increase if applications are deployed in clustered environments without proper exception handling in SessionListener#sessionDestroyed() methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Trinadh465 | Link | PoC for CVE-2021-34428 |
What are the Available Fixes for CVE-2021-34428?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.4.41 → Upgrade to 9.4.41
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.3 → Upgrade to 10.0.3
- org.eclipse.jetty:jetty-server
- >11.0.0, <11.0.3 → Upgrade to 11.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/eclipse/jetty.project
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-34428?
Similar Vulnerabilities: CVE-2018-1285 , CVE-2017-12629 , CVE-2019-17558 , CVE-2020-1935 , CVE-2021-25329
