Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about CVE-2024-6763 in Jetty 11 #12584

Open
dmiroshnikov opened this issue Nov 26, 2024 · 5 comments
Open

Questions about CVE-2024-6763 in Jetty 11 #12584

dmiroshnikov opened this issue Nov 26, 2024 · 5 comments
Labels
Question

Comments

@dmiroshnikov
Copy link

dmiroshnikov commented Nov 26, 2024
edited
Loading

Are you planning to fix CVE-2024-6763 in jetty11 or we have to migrate to jetty12-ee9?
@dmiroshnikov
Copy link
Author

Feel free to close if response to my question will be the same as in #12581

@dmiroshnikov
Copy link
Author

dmiroshnikov commented Nov 27, 2024
edited
Loading

Actually, in our case we cannot go from jetty11 to jetty12-ee9 directly due to a "new" behaviour with welcome files.

It doesn't work with the way how we set up our app. As workaround, I need to override doGet of org.eclipse.jetty.ee9.servlet.DefaultServlet with the following conditional logic to avoid 404 if servlet path is "/".

        if(...) {
            getServletContext()
                    .getRequestDispatcher("/index.jsp")
                    .forward(httpServletRequest, httpServletResponse);
        } else {
            super.doGet(httpServletRequest, httpServletResponse);
        }

@janbartel
Copy link
Contributor

@dmiroshnikov not sure I understand your issue with ee9 DefaultServlet. Can you explain the request URL, your expected response, and your particular DefaultServlet configuration?

@dmiroshnikov
Copy link
Author

dmiroshnikov commented Nov 27, 2024
edited
Loading

We have multiple web apps with a common login, index.jsp forwards to the proper app based on a state. Internally we use the "/" uri and rely on welcome-file-list logic for forwarding to index.jsp.

In jetty11,
"/" -> "/index.jsp" (state=unknown) -> "/login.jsp" -> "/" -> "index.jsp" (state=roleA) -> "webAppForRoleA.jsp"

In jetty12-ee9 / jetty12-ee10,
"/" -> "/index.jsp" (state=unknown) -> "/login.jsp" -> "/" -> 404 page not found

Content of defaultsDescriptor.xml

<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
        metadata-complete="true"
        version="3.0">

    <context-param>
        <param-name>org.mortbay.jetty.servlet.MaxAge</param-name>
        <param-value>-1</param-value>
    </context-param>

    <context-param>
        <param-name>org.mortbay.jetty.webapp.NoTLDJarPattern</param-name>
        <param-value>
            start.jar|ant-.*\.jar|dojo-.*\.jar|jetty-.*\.jar|jsp-api-.*\.jar|junit-.*\.jar|servlet-api-.*\.jar|dnsns\.jar|rt\.jar|jsse\.jar|tools\.jar|sunpkcs11\.jar|sunjce_provider\.jar|xerces.*\.jar
        </param-value>
    </context-param>

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.eclipse.jetty.ee9.servlet.DefaultServlet</servlet-class>
        <init-param>
            <param-name>acceptRanges</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>dirAllowed</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>redirectWelcome</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>maxCacheSize</param-name>
            <param-value>256000000</param-value>
        </init-param>
        <init-param>
            <param-name>maxCachedFileSize</param-name>
            <param-value>10000000</param-value>
        </init-param>
        <init-param>
            <param-name>maxCachedFiles</param-name>
            <param-value>1000</param-value>
        </init-param>
        <init-param>
            <param-name>cacheType</param-name>
            <param-value>both</param-value>
        </init-param>
        <init-param>
            <param-name>gzip</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>useFileMappedBuffer</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>0</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <servlet id="jsp">
        <servlet-name>jsp</servlet-name>
        <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
        <init-param>
            <param-name>logVerbosityLevel</param-name>
            <param-value>DEBUG</param-value>
        </init-param>
        <init-param>
            <param-name>fork</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>xpoweredBy</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>0</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>jsp</servlet-name>
        <url-pattern>*.jsp</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <locale-encoding-mapping-list>
        <locale-encoding-mapping>
            <locale>en</locale>
            <encoding>ISO-8859-1</encoding>
        </locale-encoding-mapping>
    </locale-encoding-mapping-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Disable TRACE</web-resource-name>
            <url-pattern>/</url-pattern>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>

    <baseResource implementation="org.mortbay.resource.ResourceCollection">
        <resourcesAsCSV>src/main/webapp,src/test/webapp</resourcesAsCSV>
    </baseResource>

</web-app>

In my current workaround, DefaultServlet was overwritten to override doGet method to conditionally forward to index.jsp based on URI value.

@joakime joakime changed the title CVE-2024-6763 in 11.0.24 Questions about CVE-2024-6763 in Jetty 11 Nov 27, 2024
@dzikoysk dzikoysk mentioned this issue Nov 27, 2024
Open
@janbartel
Copy link
Contributor

@dmiroshnikov your defaults descriptor is a bit odd, both for jetty-11 and jetty-12.

  • There are no attributes with the prefix org.mortbay.jetty in either codebase.
  • The jsp servlet in jetty-11 should be org.eclipse.jetty.jsp.JettyJspServlet and in jetty-12 ee9 should be org.eclipse.jetty.ee9.jsp.JettyJspServlet.
  • There is no class org.mortbay.resource.ResourceCollection: in jetty-11 it is org.eclipse.jetty.util.resource.ResourceCollection; in jetty-12 it is a CombinedResource (but obtained from a ResourceFactory). In either case you don't need to set it in the defaults descriptor - the MetaInfConfiguration and WebInfConfiguration will sort this out for you.

I need to see the request uri, path etc for the case where login.jsp forwards to / and arrives at the DefaultServlet: can you debug it and provide the request info please? Even better would be the worlds smallest reproduction test case so I can run it myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janbartel @dmiroshnikov