close
close

IT Security: F5, Linux and UNIX Networks Under Threat – Replaced IT Security Alert on Eclipse Jetty (Risk: Medium)

The security alert for Eclipse Jetty has been replaced by BSI. You can discover what committed customers can do here.

Federal workplace for Security on Information Technology (BSI) disclosed on May 16, 2024 a replacement related to the Eclipse Jetty security vulnerability identified on October 25, 2020. The security vulnerability affects F5 Networks, Linux and UNIX working techniques and merchandise Debian Linux, Red Hat Enterprise Linux, F5 BIG-IP and Eclipse scaffolding.

The latest vendor suggestions for updates, fixes, and security patches for this vulnerability can be found here: IBM Security Bulletin 7153639 (As of May 17, 2024). Some useful resources can be found later in this article.

Discover Eclipse Jetty Security – Risk: Medium

Risk phase: 3 (average)
CVSS base score: 5.3
CVSS preliminary rating: 4.6
Remote attack: No

The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop technologies. The usual CVSS makes it possible to check potential or precise security risks, mainly based on numerous statistics, in order to create a priority list for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to determine the severity of the vulnerability. The Basic Score evaluates the need for an attack (along with authentication, complexity, privileges, consumer interaction) and its outcomes. In the case of non-permanent impact, the check takes into account body conditions that will change over time. The severity of the current vulnerability is rated as “moderate” in accordance with the CVSS with a base rating of 5.3.

Eclipse Jetty Bug: Vulnerability allows security measures to be bypassed

Eclipse Jetty is a Java HTTP server and Java servlet container.

A neighborhood attacker can use an Eclipse Jetty vulnerability to bypass security measures.

Vulnerabilities are categorized using the CVE (Common Vulnerabilities and Exposures) reference system for each product quantity CVE-2020-27216.

Systems affected by the security hole at a glance

Surgical techniques
F5 networking, Linux, UNIX

Products
Debian Linux (cpe:/o:debian:debian_linux)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
F5 BIG-IP (cpe:/a:f5:big-ip)
Eclipse Scaffolding Eclipse Scaffolding Eclipse Scaffolding F5 BIG-IP

Common steps to address IT security gaps

  1. Users of the affected apps should stay informed. When security holes are identified, manufacturers must quickly fix them by creating a patch or fix. If any security patches are found, install them immediately.
  2. For more information, see the resources in the next section. This usually includes additional details about the latest model of the software program in question and the provision of security patches or efficiency suggestions.
  3. If you have any questions or concerns, please contact your responsible administrator. IT security managers should regularly verify the desired sources to see if a brand new security replacement is offered.

Manufacturer details on updates, patches and fixes

Here you will find some hyperlinks detailing bug reviews, security fixes, and workarounds.

IBM Security Bulletin 7153639 dated 05-17-2024 (16.05.2024)
For additional information, see:

F5 Security Advice K18484125 dated 22-06-2022 (22.06.2023)
For additional information, see:

F5 Security Advice K18484125 dated 18-05-2022 (18.05.2022)
For additional information, see:

Red Hat Security Advisory RHSA-2021:3140 dated 2021-08-11 (11.08.2021)
For additional information, see:

Debian Security Advisory DSA-4949 dated 05-08-2021 (04.08.2021)
For additional information, see:

Red Hat Security Advisory RHSA-2021:2430 dated 2021-07-02 (01.07.2021)
For additional information, see:

Red Hat Security Advisory RHSA-2021:2517 dated 2021-06-30 (30.06.2021)
For additional information, see:

Red Hat Security Advisory RHSA-2021:2499 dated 2021-06-29 (28.06.2021)
For additional information, see:

Debian Security Advisory DLA-2661 dated 2021-05-14 (16.05.2021)
For additional information, see:

Red Hat Security Advisory RHSA-2021:0329 dated 2021-02-02 (01.02.2021)
For additional information, see:

Red Hat Security Advisory RHSA-2020:5365 dated 2020-12-08 (07.12.2020)
For additional information, see:

Red Hat Security Advisory RHSA-2020:5168 dated 2020-11-23 (22.11.2020)
For additional information, see:

Github Eclipse Jetty from October 25, 2020 (25.10.2020)
For additional information, see:

Historical past version of this security alert

This is Model 13 of this Eclipse Jetty IT Security Notice. This document may be current as additional updates are introduced. You can view adjustments or additions to this model’s historical past.

October 25, 2020 – First model
November 22, 2020 – New updates from Red Hat have been added
12/07/2020 – New updates from Red Hat have been added
02/01/2021 – New updates from Red Hat have been added
May 16, 2021 – New Debian updates added
June 28, 2021 – New updates from Red Hat have been added
June 30, 2021 – New updates from Red Hat added
July 1, 2021 – Added new updates from Red Hat
08/04/2021 – New updates from Debian added
08/11/2021 – New updates from Red Hat have been added
May 18, 2022 – New information added from F5
2023-06-22 – New F5 updates added
May 16, 2024 – New updates from IBM added

+++ Editor’s note: This document is based on current BSI information and may be up to date based on a data-driven method depending on the status of the alert. Suggestions and feedback are welcome at (email protected). +++

to observe News.de you are here Facebook, Tweet, Pinterest again YouTube? Here you will discover scorching information, presentation videos and a direct line to the editorial group.

kns/roj/information.de