Jetty web servers vulnerable to Heartbleed-style attacks

A critical flaw found on open-source Jetty HTTP web servers could - if left unpatched - lead to hackers hijacking internet sessions and stealing sensitive data.

Jetty web servers vulnerable to Heartbleed-style attacks
Jetty web servers vulnerable to Heartbleed-style attacks

International security services company Gotham Digital Science came across the flaw earlier this month and, in a blog post published yesterday, indicated that it affects versions 9.2.3. to 9.2.8 (as well as some beta releases on older versions), allowing remote attackers to attack these systems to read data from previous requests submitted to the server by other users. In short, this could include sensitive data submitted in headers, such as authentication tokens, or usernames, passwords and personally-identifiable information (PII).

Researchers say that attackers could gain access to this information by injecting a malformed data request into the server, which then returns data belonging to other users that has been temporarily stored in memory. 

“The attacker can exploit this behaviour by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user-submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user's request depending on the attacker's payload offset,” reads the blog post.

Speaking to SCMagazineUK.com earlier today, GDS founder and OWASP member Justin Clarke said that it was a critical flaw similar to Heartbleed, in the way that it reads information out of a server's memory. He added that the latter, though, is clearly more wide-spread.

“It's critical. It allows an attacker to read contents of other user's requests/responses out of the server's memory,” Clarke said on the flaw. “This would be the most useful for session hijacking/impersonating people on a site by getting their cookies, but would also potentially disclose any sensitive information in the traffic between a user and the server.

“The issue is with error handling code, which causes the server to return data belonging to other users that has been temporarily stored in memory.”

GDS Security recommends those using vulnerable Jetty web server versions to upgrade to version 9.2.9.v20150224 immediately (the update is currently available from Maven and the Jetty Downloads Page), whilst also warning that the lightweight HTTP server comes bundled with a number of third-party products, such as in Java, the Google App Engine and Twitter's streaming API. It also promises integration with the likes of Red5, Hadoop and I2P.

On this, Clarke says: “Organisations will need to get patches from their vendors, most of whom have only just heard about the release at the same time as the security issue due to the Jetty project releasing these details simultaneously.”

The blog post added: “Organisations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available. Additionally, we have encountered cases where development teams use Jetty as a lightweight replacement for app servers such as Tomcat. Organisations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.”

Eclipse Foundation, the group behind the open-source web server, has been praised for its rapid response to the issue (it was notified on February 19, downloaded the vulnerability report on February 23, and started issuing bug fixes yesterday). GDS has created a simple python script (accessible here from Github) so businesses can determine if a Jetty server is vulnerable.

Simon Beattie, technical manager at penetration tester RandomStorm, an Accumuli Security company, told SC: “It would seem this vulnerability has already been coined JetLeak. Jetty web server may not be widely used within regular websites, however, due to its lightweight nature, it is bundled with a number of different packages, for example, Apache ActiveMQ and Cisco SESM systems both bundle this web server with their applications.

“As a result, users may not be aware that their system is using the Jetty web server. Fortunately, Jetty has already released a version (9.2.9.v20150224) which fixes the vulnerability, so our advice to sysadmins would be to update as soon as possible. Vendors should be including this update within their own bundled applications, we strongly advise updating these too. To check whether your web servers are vulnerable to JetLeak, details of Jetty powered applications can be found at  http://eclipse.org/jetty/powered/

Mike McLaughlin, senior penetration tester and technical team lead at First Base Technologies, added in an email to SC: “This is an interesting vulnerability which has similar ramifications to the Heartbleed vulnerability discovered last year. Although it is very serious, especially if businesses are storing sensitive data with Jetty powered applications, the bigger issue is the use of Jetty within embedded systems. Often these embedded systems will not receive patches from the vendor, leaving this vulnerability exploitable and the organisation at risk.”