Bug 1210621 (CVE-2023-26049) - VUL-0: CVE-2023-26049: jetty-minimal,jetty-websocket: Cookie parsing of quoted values can exfiltrate values from other cookies
Summary: VUL-0: CVE-2023-26049: jetty-minimal,jetty-websocket: Cookie parsing of quote...
Status: RESOLVED FIXED
Alias: CVE-2023-26049
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363935/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-26049:3.7:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-19 08:15 UTC by Cathy Hu
Modified: 2024-05-06 12:33 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-04-19 08:15:47 UTC 
CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing
in Jetty may allow an attacker to smuggle cookies within other cookies, or
otherwise perform unintended behavior by tampering with the cookie parsing
mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it
will continue to read the cookie string until it sees a closing quote -- even if
a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b;
JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name
DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate
cookies. This has security implications because if, say, JSESSIONID is an
HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page,
an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie
and thereby exfiltrate it. This is significant when an intermediary is enacting
some policy based on cookies, so a smuggled cookie can bypass that policy yet
still be seen by the Jetty server or its logging system. This issue has been
addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are
advised to upgrade. There are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26049
https://www.cve.org/CVERecord?id=CVE-2023-26049
https://github.com/eclipse/jetty.project/pull/9339
https://github.com/eclipse/jetty.project/pull/9352
https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
https://www.rfc-editor.org/rfc/rfc2965
https://www.rfc-editor.org/rfc/rfc6265
Comment 1 Cathy Hu 2023-04-19 08:16:08 UTC 
Affected:
- SUSE:SLE-15-SP2:Update/jetty-minimal    9.4.48
- SUSE:SLE-15-SP2:Update/jetty-websocket  9.4.48
- openSUSE:Factory/jetty-minimal          9.4.48
- openSUSE:Factory/jetty-unixsocket       9.4.48
- openSUSE:Factory/jetty-websocket        9.4.48
Comment 4 Maintenance Automation 2023-06-19 08:30:20 UTC 
SUSE-SU-2023:2539-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210620, 1210621
CVE References: CVE-2023-26048, CVE-2023-26049
Sources used:
openSUSE Leap 15.4 (src): jetty-minimal-9.4.51-150200.3.19.2
openSUSE Leap 15.5 (src): jetty-minimal-9.4.51-150200.3.19.2
Development Tools Module 15-SP4 (src): jetty-minimal-9.4.51-150200.3.19.2
Development Tools Module 15-SP5 (src): jetty-minimal-9.4.51-150200.3.19.2
SUSE Linux Enterprise Real Time 15 SP3 (src): jetty-minimal-9.4.51-150200.3.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Fridrich Strba 2024-03-04 12:24:19 UTC 
Time to close
Comment 6 Robert Frohl 2024-05-06 12:33:19 UTC 
done, closing