JetLeak Vulnerability: Remote Leakage of Shared Buffers (CVE-2015-2080)

  • 7022580
  • 14-Mar-2015
  • 02-Mar-2018

Environment

Reflection ZFE

Situation

An unauthenticated remote attacker can send a specially crafted request to read arbitrary data from previous requests submitted to the server by other users.

Resolution

Reflection ZFE 1.0 is vulnerable to the attack. In version 1.0, you can fix this by manually replacing a file in the installed product.
Download the patch from Eclipse:
https://bugs.eclipse.org/bugs/attachment.cgi?id=251121. Then, overwrite the existing file at this location: <installdir>/sessionserver/services/servletengine/lib/jetty-http-9.2.7.v20150116.jar.
This
issue is addressed beginning in Reflection ZFE 1.1, which includes Jetty version 9.2.11.v20150529. 

Status

Security Alert

Additional Information

For vulnerability details, see http://www.eclipse.org/jetty/documentation/current/security-reports.html.

This information was originally published in Attachmate Technical Note 2783 (posted March 2015, updated October 2015).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.