Updated:  May 01, 2009

Statement Date:   April 29, 2009

Status

Affected

Vendor Statement

A security vulnerability has been discovered in jetty that effects all version of Jetty up to and including jetty 6.1.16 and 7.0.0.M2 On a vulnerable server, a crafted URL may access files outside of the web application or document tree. To be vulnerable to this issue, you must EITHER: - be using the DefaultServlet with support for aliases explicitly turned on. OR - be using the ResourceHandler class to serve static content. Furthermore, on unix systems, system are only vulnerable if a directory with a name ending with the character '?' to exist in the webapp or docroot. On unix, this is an unlikely situation. On windows systems, this directory does not need to exist, so the vulnerability requires only a single change from the default configuration. A 6.1.17 release will be available shortly with this vulnerability closed. Some immediate preventative actions are listed below. If you are not using the ResourceHandler, then you should confirm that your jetty instance is running with the Default servlet "aliases" initParam set to "false". You will find this setting in either your application's web.xml or the etc/webdefault.xml. If it is not set, then it takes the default, safe, value of "false". You should also check that the org.mortbay.util.FileResource.checkAliases system property is either not set, or set to true. If you are using the ResourceHandler, then you can secure your system against this vulnerability by compiling the source at the bottom of this message against the version of Jetty that you are using. Use an instance of this class instead of the ResourceHandler package org.mortbay.jetty.cert; import java.net.MalformedURLException; import org.mortbay.jetty.handler.ResourceHandler; import org.mortbay.resource.Resource; import org.mortbay.util.StringUtil; import org.mortbay.util.URIUtil; public class TempFixResourceHandler extends ResourceHandler public Resource getResource(String path) throws MalformedURLException if (path!=null && path.indexOf('?')>=0) path=URIUtil.decodePath(URIUtil.canonicalPath(StringUtil.replace(path,"?","%3F"))); if (path==null) return null; return super.getResource(path);

Vendor Information

http://docs.codehaus.org/display/JETTY/Jetty+Security http://jira.codehaus.org/browse/JETTY-1004