CVE-2017-7657
📋 TL;DR
This vulnerability in Eclipse Jetty allows attackers to bypass authorization controls by exploiting an integer overflow in chunk length parsing. When Jetty is deployed behind an intermediary proxy with authorization, specially crafted HTTP requests can be interpreted as pipelined requests to bypass security checks. Affects Jetty versions 9.2.x and older, 9.3.x, and 9.4.x with RFC2616 compliance enabled.
💻 Affected Systems
- Eclipse Jetty
📦 What is this software?
E Series Santricity Os Controller by Netapp
E Series Santricity Web Services by Netapp
Element Software Management Node by Netapp
Jetty by Eclipse
Jetty by Eclipse
Jetty by Eclipse
⚠️ Risk & Real-World Impact
Worst Case
Complete authorization bypass allowing unauthorized access to protected resources, potentially leading to data theft, privilege escalation, or system compromise.
Likely Case
Bypass of proxy-level authorization controls, allowing attackers to access restricted endpoints or services that should be protected.
If Mitigated
Limited impact if Jetty is not behind an authorization proxy or if proper input validation and size limits are enforced.
🎯 Exploit Status
Exploitation requires Jetty to be behind an authorization proxy and the ability to send HTTP requests with malicious chunk sizes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jetty 9.2.25.v20180606, 9.3.24.v20180605, 9.4.9.v20180320
Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Restart Required: Yes
Instructions:
1. Identify current Jetty version. 2. Upgrade to patched version: 9.2.25+, 9.3.24+, or 9.4.9+. 3. Restart Jetty service. 4. Verify fix by testing with known exploit payloads.
🔧 Temporary Workarounds
Disable RFC2616 Compliance
allFor Jetty 9.4.x, disable RFC2616 compliance mode which is required for exploitation in this version.
Set 'org.eclipse.jetty.http.HttpCompliance.RFC2616' to false in jetty configuration
Configure Proxy Chunk Limits
allConfigure upstream proxies to limit maximum chunk size to prevent integer overflow.
nginx: client_max_body_size 10m;
apache: LimitRequestBody 10485760
🧯 If You Can't Patch
- Deploy Web Application Firewall (WAF) with rules to detect and block malicious chunked transfer encoding
- Implement network segmentation to isolate vulnerable Jetty instances from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Jetty version and configuration. For 9.4.x, verify if RFC2616 compliance is enabled.Check Version:
java -jar jetty-distribution-*.jar --version or check server startup logsVerify Fix Applied:
Test with proof-of-concept exploit payloads after patching to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual chunk size values in HTTP logs
- Requests with abnormally large Content-Length or Transfer-Encoding headers
- Failed authorization attempts followed by successful requests
Network Indicators:
- HTTP requests with chunk sizes near integer overflow limits (2^31-1)
- Multiple requests pipelined in single connection
SIEM Query:
source="jetty.log" AND ("Transfer-Encoding: chunked" AND content_length>1000000000) OR ("RFC2616" AND "enabled")🔗 References
- http://www.securitytracker.com/id/1041194
- https://access.redhat.com/errata/RHSA-2019:0910
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securitytracker.com/id/1041194
- https://access.redhat.com/errata/RHSA-2019:0910
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
