Red Hat Product Errata RHSA-2021:1509 - Security Advisory
Issued:
2021-05-05
Updated:
2021-05-05

RHSA-2021:1509 - Security Advisory

Synopsis

Moderate: rh-eclipse-jetty security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-eclipse-jetty is now available for Red Hat Developer Tools.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Jetty is a 100% Java HTTP Server and Servlet Container.

The following packages have been upgraded to a later upstream version: rh-eclipse-jetty (9.4.40).

Security Fix(es):

  • jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
  • jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
  • jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Developer Tools (for RHEL Workstation) 1 x86_64
  • Red Hat Developer Tools (for RHEL Server) 1 x86_64

Fixes

  • BZ - 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
  • BZ - 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
  • BZ - 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame

Red Hat Developer Tools (for RHEL Workstation) 1

SRPM
rh-eclipse-jetty-9.4.40-1.1.el7_9.src.rpm SHA-256: 8e1a65d621558bff192bda07613039a5166d97b79092bede4afff549dc26f818
x86_64
rh-eclipse-jetty-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 83a5f051e38cbe625d4b660f735d9cc698d2158e2856fd941c6de3c378ce84ef
rh-eclipse-jetty-client-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 0b00c8804858587287c4c72c8eec6fa6b6ebf3b47fb2ca60f1f9b986a7db959f
rh-eclipse-jetty-continuation-9.4.40-1.1.el7_9.noarch.rpm SHA-256: fbb4ff927362f15967d8069fb7c8b074774ef353abac01fa9c643a4b8e2b6cf3
rh-eclipse-jetty-http-9.4.40-1.1.el7_9.noarch.rpm SHA-256: d5fd93ab8e52c0c4bb88c066a0900a55540ebc248140ff060081ea927b289bd4
rh-eclipse-jetty-io-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 17b506759103b0f0f339010e44741fa7ec40a722d9f6f8cb00d16534d132a91d
rh-eclipse-jetty-jaas-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 74c3e349538d6e232a1caf7fbda127d1fbfb1dfce0b97019b606fbaf71096ad4
rh-eclipse-jetty-javadoc-9.4.40-1.1.el7_9.noarch.rpm SHA-256: f005d81e7fb7f737b5b2a8b23d83786b882508d74627ff9d18bad804cd85f43f
rh-eclipse-jetty-jmx-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 806f027e1efa7010a93ea57cff474addb5f8dc2867ac48f6665c107a9d28940b
rh-eclipse-jetty-security-9.4.40-1.1.el7_9.noarch.rpm SHA-256: bd5f8998fd2a18483cee670e63020e6647cae446b54dcbd5c412943a6b2a24b0
rh-eclipse-jetty-server-9.4.40-1.1.el7_9.noarch.rpm SHA-256: af9ac9d6e1e609f01772dea2fe59fafb1ed8eb35e7ce0a7babed961fa545a1da
rh-eclipse-jetty-servlet-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 396c51c06d229589eeceb7c2e33f5f34b7a6514b44161dbc33af583a039f0376
rh-eclipse-jetty-util-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 21514510fdaebb4aeda2b637adf0e7c12d64463950dae2b2492f10a9a2b93c52
rh-eclipse-jetty-util-ajax-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 9091f46aff986d60759a7c894e8fcc41ef99ceca598e7885cf7209937dd883cb
rh-eclipse-jetty-webapp-9.4.40-1.1.el7_9.noarch.rpm SHA-256: aa857fd80dc9a51ab4a49841e1cccd2fd334b701ffd0ecdb49e09c451b0b71a7
rh-eclipse-jetty-xml-9.4.40-1.1.el7_9.noarch.rpm SHA-256: e0ea3b4d3e8994929419e5002a353294f83ea0fad1e9de56da7f9476ac8e20bd

Red Hat Developer Tools (for RHEL Server) 1

SRPM
rh-eclipse-jetty-9.4.40-1.1.el7_9.src.rpm SHA-256: 8e1a65d621558bff192bda07613039a5166d97b79092bede4afff549dc26f818
x86_64
rh-eclipse-jetty-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 83a5f051e38cbe625d4b660f735d9cc698d2158e2856fd941c6de3c378ce84ef
rh-eclipse-jetty-client-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 0b00c8804858587287c4c72c8eec6fa6b6ebf3b47fb2ca60f1f9b986a7db959f
rh-eclipse-jetty-continuation-9.4.40-1.1.el7_9.noarch.rpm SHA-256: fbb4ff927362f15967d8069fb7c8b074774ef353abac01fa9c643a4b8e2b6cf3
rh-eclipse-jetty-http-9.4.40-1.1.el7_9.noarch.rpm SHA-256: d5fd93ab8e52c0c4bb88c066a0900a55540ebc248140ff060081ea927b289bd4
rh-eclipse-jetty-io-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 17b506759103b0f0f339010e44741fa7ec40a722d9f6f8cb00d16534d132a91d
rh-eclipse-jetty-jaas-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 74c3e349538d6e232a1caf7fbda127d1fbfb1dfce0b97019b606fbaf71096ad4
rh-eclipse-jetty-javadoc-9.4.40-1.1.el7_9.noarch.rpm SHA-256: f005d81e7fb7f737b5b2a8b23d83786b882508d74627ff9d18bad804cd85f43f
rh-eclipse-jetty-jmx-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 806f027e1efa7010a93ea57cff474addb5f8dc2867ac48f6665c107a9d28940b
rh-eclipse-jetty-security-9.4.40-1.1.el7_9.noarch.rpm SHA-256: bd5f8998fd2a18483cee670e63020e6647cae446b54dcbd5c412943a6b2a24b0
rh-eclipse-jetty-server-9.4.40-1.1.el7_9.noarch.rpm SHA-256: af9ac9d6e1e609f01772dea2fe59fafb1ed8eb35e7ce0a7babed961fa545a1da
rh-eclipse-jetty-servlet-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 396c51c06d229589eeceb7c2e33f5f34b7a6514b44161dbc33af583a039f0376
rh-eclipse-jetty-util-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 21514510fdaebb4aeda2b637adf0e7c12d64463950dae2b2492f10a9a2b93c52
rh-eclipse-jetty-util-ajax-9.4.40-1.1.el7_9.noarch.rpm SHA-256: 9091f46aff986d60759a7c894e8fcc41ef99ceca598e7885cf7209937dd883cb
rh-eclipse-jetty-webapp-9.4.40-1.1.el7_9.noarch.rpm SHA-256: aa857fd80dc9a51ab4a49841e1cccd2fd334b701ffd0ecdb49e09c451b0b71a7
rh-eclipse-jetty-xml-9.4.40-1.1.el7_9.noarch.rpm SHA-256: e0ea3b4d3e8994929419e5002a353294f83ea0fad1e9de56da7f9476ac8e20bd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.