CVE-2017-7657

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.2.x and older Eclipse Jetty versions 9.3.x Eclipse Jetty versions 9.4.x (non-default configuration with RFC2616 compliance enabled)

Description The issue is related to the inconsistent interpretation of HTTP requests in the Eclipse Jetty servlet container. This can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. The problem lies in the handling of transfer-encoding chunks, which are vulnerable to integer overflow. As a result, a large chunk size can be interpreted as a smaller chunk size, and content sent as a chunk body can be interpreted as a pipelined request. If Eclipse Jetty is deployed behind an intermediary that imposes authorization and allows large chunks to pass through unchanged, this flaw can be used to bypass the authorization imposed by the intermediary.

Recommendations For Eclipse Jetty versions 9.2.x and older, consider disabling the transfer-encoding chunk handling until a patch is available. For Eclipse Jetty versions 9.3.x, restrict access to the intermediary that imposes authorization to minimize the risk of exploitation. For Eclipse Jetty versions 9.4.x with non-default configuration and RFC2616 compliance enabled, avoid using large chunk sizes in transfer-encoding until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.