CVE-2019-17638
📋 TL;DR
CVE-2019-17638 is a critical information disclosure vulnerability in Eclipse Jetty where improper buffer handling allows one client to see another client's sensitive data. When Jetty encounters oversized response headers, it double-releases a buffer that can then be reused by different threads, potentially exposing HTTP session IDs, authentication credentials, or other sensitive information. This affects Jetty servers running vulnerable versions that process HTTP requests.
💻 Affected Systems
- Eclipse Jetty
📦 What is this software?
Jetty by Eclipse
Jetty by Eclipse
Jetty by Eclipse
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive user data including authentication credentials, session tokens, and personal information belonging to multiple users, potentially leading to account takeover and data breaches.
Likely Case
Information leakage where one user sees fragments of another user's session data or request/response content, potentially exposing session IDs or partial sensitive data.
If Mitigated
Minimal impact with proper header size configuration and monitoring; potential for occasional buffer errors but no data leakage.
🎯 Exploit Status
Exploitation requires sending requests that trigger oversized response headers, which can be done by unauthenticated clients. The timing aspect makes exploitation somewhat complex but feasible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.30.v20200611 and later
Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
Restart Required: Yes
Instructions:
1. Download Jetty version 9.4.30.v20200611 or later from https://jetty.eclipse.org/download.html. 2. Stop the Jetty server. 3. Replace the Jetty installation with the patched version. 4. Restart the Jetty server. 5. Verify the version is updated.
🔧 Temporary Workarounds
Configure Response Header Size
allSet responseHeaderSize significantly larger than requestHeaderSize to reduce the likelihood of triggering the vulnerability
In jetty.xml or start.ini, add: --module=http,http2c
Set: jetty.httpConfig.responseHeaderSize=12288
Set: jetty.httpConfig.requestHeaderSize=8192
🧯 If You Can't Patch
- Configure responseHeaderSize to 12KB and requestHeaderSize to 8KB as described in workarounds
- Implement network segmentation and monitoring to detect oversized header attacks
🔍 How to Verify
Check if Vulnerable:
Check Jetty version with: java -jar start.jar --version or examine server logs for version informationCheck Version:
java -jar start.jar --version | grep -i jettyVerify Fix Applied:
Verify version is 9.4.30.v20200611 or later using the version check command📡 Detection & Monitoring
Log Indicators:
- HTTP 431 error responses
- Exceptions related to buffer handling or oversized headers
- Multiple threads accessing the same buffer
Network Indicators:
- Unusual patterns of requests with large headers
- Clients reporting seeing other users' data
SIEM Query:
source="jetty.log" AND ("HTTP 431" OR "response header too large" OR "ByteBufferPool" OR "double release")🔗 References
- http://www.openwall.com/lists/oss-security/2020/08/17/1
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
- https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd%40%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.openwall.com/lists/oss-security/2020/08/17/1
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
- https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd%40%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
