If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.
To disable indexing/listing:
If using the DefaultServlet (provided by default on a standard WebApp/WAR), you’ll set the dirAllowed init-param to false.
This can be controlled in a few different ways:
Directly in your WEB-INF/web.xml
Add/edit the following entry …
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
... (other init) ...
<load-on-startup>0</load-on-startup>
</servlet>
Alternatively, you’ll edit your configured web descriptor default (usually declared as webdefault.xml) or your web descriptor override-web.xml.
The web defaults descriptor can either be configured at the WebAppProvider level and will be applied to all webapps being deployed, or at the individual webapp.
For the WebAppProvider level, you have several choices.
If you are managing the XML yourself, you can set the Default Descriptor to your edited version:
<Call id="webappprovider" name="addAppProvider">
<Arg>
<New class="org.eclipse.jetty.deploy.providers.WebAppProvider">
<Set name="monitoredDirName">
<Property name="jetty.base"/>/other-webapps
</Set>
<Set name="defaultsDescriptor">
<Property name="jetty.base"/>/etc/webdefault.xml
</Set>
<Set name="extractWars">true</Set>
<Set name="configurationManager">
<New class="org.eclipse.jetty.deploy.PropertiesConfigurationManager"/>
</Set>
</New>
</Arg>
</Call>
Note: the WebAppProvider cannot set the override-web.xml for all webapps.
If you are using the jetty.home/jetty.base module system and associated start.d/*.ini or start.ini, then you should be able to just point to your specifically edited webdefault.xml.
Example:
$ grep jetty.deploy.defaultsDescriptorPath start.d/depoy.ini jetty.deploy.defaultsDescriptorPath=/path/to/fixed/webdefault.xml
If you are using a webapp specific deployment XML, such as what’s found in ${jetty.base}/webapps/<appname>.xml then you’ll edit the XML to point to your specific webdefault.xml or override-web.xml:
<Configure id="exampleWebapp" class="org.eclipse.jetty.webapp.WebAppContext"> <Set name="contextPath">/example</Set> <Set name="war"><Property name="jetty.webapps"/>/example.war</Set> <Set name="defaultsDescriptor">/path/to/fixed/webdefault.xml</Set> <Set name="overrideDescriptor">/path/to/override-web.xml</Set> </Configure>
Reminder, the load order for the effective web descriptor is …
- Default Descriptor – webdefault.xml
- WebApp Descriptor – WEB-INF/web.xml
- Override Descriptor – override.xml
If using the ResourceHandler (such as in an embedded-jetty setup), you’ll use the ResourceHandler.setDirAllowed(false) method.
Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root “/” namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.
As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.
Versions affected:
- 9.2.27 and older (now EOL)
- 9.3.26 and older
- 9.4.16 and older
Resolved:
- 9.2.28.v20190418
- 9.3.27.v20190418
- 9.4.17.v20190418
2 Comments
Arbuz · 01/05/2019 at 04:07
does jetty on JDK 11 still benefit from conscrypt provider?
Could constrypt be used as workaround for above issue?
simon · 02/05/2019 at 11:10
Jetty on JDK 11 still benefits from the Conscrypt provider because of its better performance.
The issue reported here is independent from Conscrypt.