Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW02Y3AtdnhqeC02NWo2
SessionListener can prevent a session from being invalidated breaking logout
Impact
If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to sessionDestroyed, the getLastAccessedTime() throws an IllegalStateException, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.
Workarounds
The application should catch all Throwables within their SessionListener#sessionDestroyed() implementations.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW02Y3AtdnhqeC02NWo2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-m6cp-vxjx-65j6, CVE-2021-34428
References:
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
- https://nvd.nist.gov/vuln/detail/CVE-2021-34428
- https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210813-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-m6cp-vxjx-65j6
Blast Radius: 15.9
Affected Packages
maven:org.eclipse.jetty:jetty-server
Dependent packages: 3,819Dependent repositories: 34,580
Downloads:
Affected Version Ranges: >= 11.0.0, <= 11.0.2, >= 10.0.0, <= 10.0.2, <= 9.4.40
Fixed in: 11.0.3, 10.0.3, 9.4.41
All affected versions: 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2
All unaffected versions: 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.0.13, 11.0.14, 11.0.15, 11.0.16, 11.0.17, 11.0.18, 11.0.19, 11.0.20, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.0.6, 12.0.7, 12.0.8