ALAS-2024-2408

Amazon Linux 2 Security Advisory: ALAS-2024-2408
Advisory Release Date: 2024-01-03 21:04 Pacific
Advisory Updated Date: 2024-01-09 17:51 Pacific
Severity: Medium
Issue Overview:

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. (CVE-2021-28169)


Affected Packages:

jetty


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update jetty to update your system.

New Packages:
noarch:
    jetty-project-9.0.3-8.amzn2.0.1.noarch
    jetty-annotations-9.0.3-8.amzn2.0.1.noarch
    jetty-ant-9.0.3-8.amzn2.0.1.noarch
    jetty-client-9.0.3-8.amzn2.0.1.noarch
    jetty-continuation-9.0.3-8.amzn2.0.1.noarch
    jetty-deploy-9.0.3-8.amzn2.0.1.noarch
    jetty-http-9.0.3-8.amzn2.0.1.noarch
    jetty-io-9.0.3-8.amzn2.0.1.noarch
    jetty-jaas-9.0.3-8.amzn2.0.1.noarch
    jetty-jaspi-9.0.3-8.amzn2.0.1.noarch
    jetty-jmx-9.0.3-8.amzn2.0.1.noarch
    jetty-jndi-9.0.3-8.amzn2.0.1.noarch
    jetty-jsp-9.0.3-8.amzn2.0.1.noarch
    jetty-jspc-maven-plugin-9.0.3-8.amzn2.0.1.noarch
    jetty-maven-plugin-9.0.3-8.amzn2.0.1.noarch
    jetty-monitor-9.0.3-8.amzn2.0.1.noarch
    jetty-plus-9.0.3-8.amzn2.0.1.noarch
    jetty-proxy-9.0.3-8.amzn2.0.1.noarch
    jetty-rewrite-9.0.3-8.amzn2.0.1.noarch
    jetty-runner-9.0.3-8.amzn2.0.1.noarch
    jetty-security-9.0.3-8.amzn2.0.1.noarch
    jetty-server-9.0.3-8.amzn2.0.1.noarch
    jetty-servlet-9.0.3-8.amzn2.0.1.noarch
    jetty-servlets-9.0.3-8.amzn2.0.1.noarch
    jetty-start-9.0.3-8.amzn2.0.1.noarch
    jetty-util-9.0.3-8.amzn2.0.1.noarch
    jetty-util-ajax-9.0.3-8.amzn2.0.1.noarch
    jetty-webapp-9.0.3-8.amzn2.0.1.noarch
    jetty-xml-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-api-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-client-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-common-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-parent-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-server-9.0.3-8.amzn2.0.1.noarch
    jetty-websocket-servlet-9.0.3-8.amzn2.0.1.noarch
    jetty-javadoc-9.0.3-8.amzn2.0.1.noarch

src:
    jetty-9.0.3-8.amzn2.0.1.src

Additional References

Red Hat: CVE-2021-28169

Mitre: CVE-2021-28169