Environment
Reflection ZFE
Situation
An unauthenticated remote attacker can send a
specially crafted request to read arbitrary data from previous requests
submitted to the server by other users.
Resolution
Reflection ZFE 1.0 is vulnerable to the
attack. In version 1.0, you can fix this by manually replacing a file in
the installed product.
Download the patch from Eclipse: https://bugs.eclipse.org/bugs/attachment.cgi?id=251121. Then, overwrite the existing file at this location: <installdir>/sessionserver/services/servletengine/lib/jetty-http-9.2.7.v20150116.jar.
This issue is addressed beginning in Reflection ZFE 1.1, which includes Jetty version 9.2.11.v20150529.
Download the patch from Eclipse: https://bugs.eclipse.org/bugs/attachment.cgi?id=251121. Then, overwrite the existing file at this location: <installdir>/sessionserver/services/servletengine/lib/jetty-http-9.2.7.v20150116.jar.
This issue is addressed beginning in Reflection ZFE 1.1, which includes Jetty version 9.2.11.v20150529.
Status
Security AlertAdditional Information
For vulnerability details, see http://www.eclipse.org/jetty/documentation/current/security-reports.html.
This information was originally published in Attachmate Technical Note 2783 (posted March 2015, updated October 2015).