CVE-2017-7658

Q: What is the severity of CVE-2017-7658?

CVE-2017-7658 has a CVSS score of 9.8 (CRITICAL). CVE-2017-7658 is a critical HTTP request smuggling vulnerability in Eclipse Jetty that allows attackers to bypass authorization controls. When Jetty receives conflicting Content-Length headers or mixed Content-Length and Transfer-Encoding headers, it can misinterpret request boundaries, enabling attackers to inject unauthorized requests. This affects Jetty versions 9.2.x and older, 9.3.x with non-HTTP/1.x configurations, and 9.4.x with HTTP/1.x configurations.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

CVE-2017-7658 is a critical HTTP request smuggling vulnerability in Eclipse Jetty that allows attackers to bypass authorization controls. When Jetty receives conflicting Content-Length headers or mixed Content-Length and Transfer-Encoding headers, it can misinterpret request boundaries, enabling attackers to inject unauthorized requests. This affects Jetty versions 9.2.x and older, 9.3.x with non-HTTP/1.x configurations, and 9.4.x with HTTP/1.x configurations.

💻 Affected Systems

Products:

Eclipse Jetty

Versions: 9.2.x and older, 9.3.x (all non-HTTP/1.x configurations), 9.4.x (all HTTP/1.x configurations)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability depends on specific HTTP configuration settings. 9.3.x only vulnerable in non-HTTP/1.x configurations, 9.4.x only vulnerable in HTTP/1.x configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through authorization bypass leading to data exfiltration, privilege escalation, or remote code execution depending on application functionality.

🟠

Likely Case

Unauthorized access to protected resources, data manipulation, or privilege escalation by bypassing authentication/authorization mechanisms.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF filtering, and strict access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques and the ability to send malformed HTTP requests. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jetty 9.2.25.v20180606, 9.3.24.v20180605, 9.4.8.v20171121

Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669

Restart Required: Yes

Instructions:

1. Identify current Jetty version. 2. Upgrade to patched version: 9.2.25+, 9.3.24+, or 9.4.8+. 3. Restart Jetty server. 4. Verify fix by testing with malformed HTTP headers.

🔧 Temporary Workarounds

WAF Configuration

all

Configure Web Application Firewall to reject requests with multiple Content-Length headers or mixed Content-Length/Transfer-Encoding headers.

Reverse Proxy Filtering

all

Configure reverse proxies (nginx, Apache, HAProxy) to normalize or reject malformed HTTP requests before they reach Jetty.

🧯 If You Can't Patch

Deploy WAF with rules to detect and block HTTP request smuggling attempts
Implement network segmentation to limit access to vulnerable Jetty instances

🔍 How to Verify

Check if Vulnerable:

Check Jetty version and configuration. Versions 9.2.x ≤ 9.2.24, 9.3.x ≤ 9.3.23, or 9.4.x ≤ 9.4.7 with vulnerable configurations are affected.

Check Version:

java -jar jetty-distribution-*.jar --version or check server startup logs

Verify Fix Applied:

After patching, test with tools like smuggler.py or manually send requests with duplicate Content-Length headers to verify they are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple Content-Length headers in single request
Mixed Content-Length and Transfer-Encoding headers
Unexpected 400/413 errors

Network Indicators:

HTTP requests with duplicate headers
Abnormal request/response timing patterns

SIEM Query:

http.headers:"Content-Length" AND count>1 OR (http.headers:"Content-Length" AND http.headers:"Transfer-Encoding")

📊 Metadata

CVE ID: CVE-2017-7658

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-444

Published: June 26, 2018

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

E Series Santricity Management by Netapp

E Series Santricity Os Controller by Netapp

E Series Santricity Web Services by Netapp

Hci Management Node by Netapp

Hci Storage Node by Netapp

Jetty by Eclipse

Jetty by Eclipse

Jetty by Eclipse

Oncommand System Manager by Netapp

Oncommand Unified Manager For 7 Mode by Netapp

Rest Data Services by Oracle

Rest Data Services by Oracle

Rest Data Services by Oracle

Rest Data Services by Oracle

Retail Xstore Payment by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Retail Xstore Point Of Service by Oracle

Santricity Cloud Connector by Netapp

Snap Creator Framework by Netapp

Snapcenter by Netapp

Snapmanager by Netapp

Snapmanager by Netapp

Solidfire by Netapp

Storage Services Connector by Netapp

Xp P9000 Command View by Hp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

WAF Configuration

Reverse Proxy Filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities