Jetty Security Notice Overview

Eclipse Jetty Embedded Webserver Security Overview

A security issue has been identified that affects customers of CData products, including CData API Server, CData Arc (ArcESB), CData Connect (On-prem), and CData Sync. This security issue applies to customers who are running the Java Edition of these products and using Jetty (the default embedded Web Server). If you are running the .NET installation or using another servlet container like Tomcat as the web server, you can ignore this notification.

Details

A security vulnerability has been identified that could allow a malicious actor to bypass application authentication when accessing specific endpoints that usually require authentication. CData was made aware of this vulnerability when hosted in Eclipse Jetty via an established third-party security firm as part of a broader notice. At this time, we are unaware of any compromised customer installations.

A successful exploit of this vulnerability would require:

• An attacker to possess knowledge of the application's backend endpoints.
• An attacker to craft requests in a special way to cause the web server to trigger a path traversal.
• The application being hosted in Jetty (versions as high as 10.0.20, 11.0.20, and 12.0.7).

Resolution

Our engineering and security teams have worked to provide software updates that eliminate this issue. If you use one of the applications in this notice, please upgrade to the latest release.

More info

The security firm Tenable discovered a path traversal vulnerability affecting the Java versions of CData products when hosted on Jetty, and has filed an official CVE notification. This is an important CVE notice with a risk score of 8.0+. Validation is pending NIST confirmation.