Jetty, a widely-used Java-based web server and servlet engine, has recently been discovered to contain a weak authentication vulnerability in specific versions. The vulnerability potentially allows attackers to bypass the authentication process under certain conditions. This security issue impacts Jetty versions 9.4.21 through 9.4.51, 10..15, and 11..15.

The vulnerability exists in the way Jetty's OpenIdAuthenticator handles authentication when using its optional nested LoginService. This article will discuss the technical details of the vulnerability, the affected versions, and steps to mitigate the risk.

Exploit Details

When the OpenIdAuthenticator in Jetty uses its optional nested LoginService, and that LoginService decides to revoke an already authenticated user for any reason, Jetty still processes the current request as if the user is authenticated.

However, once the request is processed, the authentication is cleared from the session, and any subsequent requests will not be treated as authenticated. This means that a request made on a previously authenticated session could potentially bypass authentication, even after the LoginService has rejected it.

Take a look at the following code snippet for an example of affected configuration

Server server = new Server(808);

// ... Initializations ...

OpenIdAuthenticator authenticator = new OpenIdAuthenticator();
authenticator.setLoginService(nestedLoginService); // Vulnerable configuration

SecurityHandler securityHandler = new ConstraintSecurityHandler();

// ... Set the security handler ...

server.start();

11..15

It is crucial for users of these versions to be aware of the potential security risks and to take steps to mitigate the threat.

Mitigation

The Jetty development team has released a patch for this issue, which is included in the following updated versions:

11..16

To mitigate the risk of exploitation, users are urged to upgrade their Jetty instances to one of the patched versions mentioned above. For more information on this issue and the patch, check out the official CVE-2023-41900 details on the NVD (National Vulnerability Database) here and the Jetty GitHub repository here.

Conclusion

In summary, a weak authentication vulnerability in certain Jetty versions allows requests on previously authenticated sessions to bypass authentication in specific scenarios. The vulnerability affects Jetty versions 9.4.21 through 9.4.51, 10..15, and 11..15, when using the OpenIdAuthenticator with a nested LoginService. Users are strongly advised to update their Jetty instances to versions 9.4.52, 10..16, or 11..16 to mitigate the threat.

Timeline

Published on: 09/15/2023 21:15:11 UTC
Last modified on: 11/10/2023 18:15:08 UTC