{ "threat_severity" : "Low", "public_date" : "2021-06-22T00:00:00Z", "bugzilla" : { "description" : "jetty: SessionListener can prevent a session from being invalidated breaking logout", "id" : "1974891", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1974891" }, "cvss3" : { "cvss3_base_score" : "3.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-613", "details" : [ "For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.", "A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity." ], "statement" : "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.\nOCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "affected_release" : [ { "product_name" : "Red Hat AMQ 7.9.0", "release_date" : "2021-09-30T00:00:00Z", "advisory" : "RHSA-2021:3700", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "jetty-server" }, { "product_name" : "Red Hat AMQ Streams 1.8.0", "release_date" : "2021-08-19T00:00:00Z", "advisory" : "RHSA-2021:3225", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "jetty-server" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jetty" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "release_date" : "2021-11-23T00:00:00Z", "advisory" : "RHSA-2021:4767", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2021-10-18T00:00:00Z", "advisory" : "RHSA-2021:3758", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "jenkins-0:2.289.3.1630554997-1.el8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "jetty", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "eclipse:rhel8/jetty", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Fix deferred", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-34428\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-34428\nhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" ], "name" : "CVE-2021-34428", "mitigation" : { "value" : "Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.", "lang" : "en:us" }, "csaw" : false }