Candidate: CVE-2017-9735 PublicDate: 2017-06-16 21:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735 https://github.com/eclipse/jetty.project/issues/1556 https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02 https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58 https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea https://bugs.debian.org/864631 Description: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. Ubuntu-Description: It was discovered that Jetty incorrectly handled rejection of passwords. An attacker could use this issue to possibly obtain sensitive information via timing side-channel attack. Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864898 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] Patches_jetty: upstream_jetty: released (6.1.26-1+deb7u1) precise/esm_jetty: DNE trusty_jetty: released (6.1.26-1ubuntu1.2) trusty/esm_jetty: released (6.1.26-1ubuntu1.2) vivid/ubuntu-core_jetty: DNE xenial_jetty: released (6.1.26-5ubuntu0.1) yakkety_jetty: DNE zesty_jetty: DNE artful_jetty: DNE bionic_jetty: DNE cosmic_jetty: DNE disco_jetty: DNE eoan_jetty: DNE focal_jetty: DNE groovy_jetty: DNE hirsute_jetty: DNE impish_jetty: DNE jammy_jetty: DNE devel_jetty: DNE Patches_jetty8: upstream_jetty8: released (8.1.3-4+deb7u1) precise/esm_jetty8: DNE trusty_jetty8: ignored (out of standard support) trusty/esm_jetty8: needed vivid/ubuntu-core_jetty8: DNE xenial_jetty8: ignored (end of standard support, was needed) yakkety_jetty8: ignored (reached end-of-life) zesty_jetty8: DNE artful_jetty8: DNE bionic_jetty8: DNE cosmic_jetty8: DNE disco_jetty8: DNE eoan_jetty8: DNE focal_jetty8: DNE groovy_jetty8: DNE hirsute_jetty8: DNE impish_jetty8: DNE jammy_jetty8: DNE devel_jetty8: DNE Patches_jetty9: upstream: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02 upstream: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58 upstream: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea upstream_jetty9: released (9.2.22-1) precise/esm_jetty9: DNE trusty_jetty9: DNE trusty/esm_jetty9: DNE vivid/ubuntu-core_jetty9: DNE xenial_jetty9: ignored (end of standard support, was needed) yakkety_jetty9: ignored (reached end-of-life) zesty_jetty9: ignored (reached end-of-life) artful_jetty9: ignored (reached end-of-life) bionic_jetty9: not-affected (9.2.23-1) cosmic_jetty9: not-affected (9.2.26-1) disco_jetty9: not-affected (9.2.26-1) eoan_jetty9: not-affected (9.2.26-1) focal_jetty9: not-affected (9.2.26-1) groovy_jetty9: not-affected (9.2.26-1) hirsute_jetty9: not-affected (9.2.26-1) impish_jetty9: not-affected (9.2.26-1) jammy_jetty9: not-affected (9.2.26-1) devel_jetty9: not-affected (9.2.26-1)