[MAVEN:GHSA-M6CP-VXJX-65J6] SessionListener can prevent a session from being invalidated breaking logout

Severity Low

Affected Packages 3

Fixed Packages 3

CVEs 1

Impact

If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to sessionDestroyed, the getLastAccessedTime() throws an IllegalStateException, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.

Workarounds

The application should catch all Throwables within their SessionListener#sessionDestroyed() implementations.

Package	Affected Version
pkg:maven/org.eclipse.jetty/jetty-server	>= 11.0.0, <= 11.0.2
pkg:maven/org.eclipse.jetty/jetty-server	>= 10.0.0, <= 10.0.2
pkg:maven/org.eclipse.jetty/jetty-server	<= 9.4.40

Package	Fixed Version
pkg:maven/org.eclipse.jetty/jetty-server	= 11.0.3
pkg:maven/org.eclipse.jetty/jetty-server	= 10.0.3
pkg:maven/org.eclipse.jetty/jetty-server	= 9.4.41

ID

MAVEN:GHSA-M6CP-VXJX-65J6

Severity

low

URL

https://github.com/advisories/GHSA-m6cp-vxjx-65j6

Published

2021-06-23T20:23:04
(3 years ago)

Modified

2023-02-01T05:05:59
(19 months ago)

Rights

Maven Security Team

Other Advisories

DSA-4949-1

Source	# ID	Name	URL
			https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
			https://nvd.nist.gov/vuln/detail/CVE-2021-34428
			https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E
			https://security.netapp.com/advisory/ntap-20210813-0003/
			https://www.debian.org/security/2021/dsa-4949
			https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
			https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
			https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
			https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
			https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
			https://www.oracle.com/security-alerts/cpuoct2021.html
			https://www.oracle.com/security-alerts/cpujan2022.html
			https://www.oracle.com/security-alerts/cpuapr2022.html
			https://github.com/advisories/GHSA-m6cp-vxjx-65j6

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	>= 11.0.0 <= 11.0.2
Fixed	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	= 11.0.3
Affected	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	>= 10.0.0 <= 10.0.2
Fixed	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	= 10.0.3
Affected	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	<= 9.4.40
Fixed	pkg:maven/org.eclipse.jetty/jetty-server	org.eclipse.jetty	jetty-server	= 9.4.41

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date