製品・ソフトウェアに関する情報

JVN脆弱性詳細

Eclipse Jetty におけるアクセス制御に関する脆弱性

Title	Eclipse Jetty におけるアクセス制御に関する脆弱性
Summary	Eclipse Jetty には、アクセス制御に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 11, 2017, midnight
Registration Date	Sept. 5, 2018, 5:24 p.m.
Last Update	Sept. 5, 2018, 5:24 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:P/A:N

Affected System

日立

Hitachi Configuration Manager

Hitachi Device Manager

Hitachi Infrastructure Analytics Advisor

Debian

Debian GNU/Linux

Eclipse Foundation

Jetty 9.2.x およびそれ以前

Jetty 9.3.x

Jetty 9.4.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-7656	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656
National Vulnerability Database (NVD)
2	CVE-2017-7656	https://nvd.nist.gov/vuln/detail/CVE-2017-7656

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-284	https://cwe.mitre.org/data/definitions/284.html

ベンダー情報

No	Name	URL
Bugzilla
1	Bug 535667	https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Debian Security Advisory
2	DSA-4278	https://www.debian.org/security/2018/dsa-4278
ソフトウェア製品セキュリティ情報
3	hitachi-sec-2018-136	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-136/index.html

Change Log

No	Changed Details	Date of change
2	[2018年12月04日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2018-136) を追加	Dec. 4, 2018, 4:14 p.m.
1	[2018年09月05日] 掲載	Sept. 5, 2018, 5:24 p.m.

NVD Vulnerability Information

CVE-2017-7656

Summary	In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publication Date	June 27, 2018, 12:29 a.m.
Registration Date	Jan. 26, 2021, 1:28 p.m.
Last Update	Nov. 21, 2024, 12:32 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:eclipse:jetty::::::::	9.4.0			9.4.11
cpe:2.3:a:eclipse:jetty::::::::	9.3.0			9.3.24
cpe:2.3:a:eclipse:jetty::::::::		9.2.26

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securitytracker.com/id/1041194	Third Party Advisory VDB Entry
2	http://www.securitytracker.com/id/1041194	Third Party Advisory VDB Entry
3	https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667	Third Party Advisory
4	https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667	Third Party Advisory
5	https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
6	https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
7	https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
8	https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
9	https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
10	https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
11	https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E
12	https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E
13	https://security.netapp.com/advisory/ntap-20181014-0001/
14	https://security.netapp.com/advisory/ntap-20181014-0001/
15	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
16	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
17	https://www.debian.org/security/2018/dsa-4278	Third Party Advisory
18	https://www.debian.org/security/2018/dsa-4278	Third Party Advisory
19	https://www.oracle.com//security-alerts/cpujul2021.html
20	https://www.oracle.com//security-alerts/cpujul2021.html
21	https://www.oracle.com/security-alerts/cpuoct2020.html
22	https://www.oracle.com/security-alerts/cpuoct2020.html
23	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
24	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Common Vulnerabilities List