As BSI studies, the IT safety warning concerning the Eclipse Jetty vulnerability has acquired an replace. You can discover out what involved customers ought to take note of right here.
Federal workplace for Security in Information Technology (BSI) has issued an replace on May 23, 2024 to essentially the most susceptible safety gap in Eclipse Jetty identified on September 14, 2023. The safety vulnerability impacts Linux, MacOS Bus, IBM QRadar SIEM and Eclipse Jetty functions.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Red Hat Security Advisory RHSA-2024:3354 (From 24 May 2024). Some helpful assets are listed later on this article.
Eclipse Jetty’s excessive threat – Risk: average
Risk stage: 4 (average)
CVSS Base Score: 5.3
CVSS provisional rating: 4,6
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop methods. The CVSS customary makes it attainable to match potential or precise safety dangers primarily based on numerous standards with a view to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of the vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. For non permanent impact, body situations that will change over time are thought of within the take a look at. The severity of the present vulnerability is assessed as “average” in response to the CVSS with a base rating of 5.3.
Eclipse Jetty Bug: Description of the assault
Eclipse Jetty is a Java HTTP server and Java servlet container.
An authenticated distant attacker may exploit a number of vulnerabilities in Eclipse Jetty to execute arbitrary code, bypass safety measures, or assault the HTTP cache.
Vulnerabilities are recognized by distinctive CVE (Common Vulnerabilities and Exposures) product numbers. CVE-2023-36479, CVE-2023-40167 and CVE-2023-41900 on the market.
Systems affected by the safety hole at a look
Operating methods
Linux, MacOS X, UNIX, Windows
Products
Debian Linux (cpe:/o:debian:debian_linux)
IBM Maximo Asset Management 7.6.1 (cpe:/a:ibm:maximo_asset_management)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
IBM InfoSphere Information Server 11.7 (cpe:/a:ibm:infosphere_information_server)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux (cpe:/o:use:suse_linux)
IBM Operational Decision Manager (cpe:/a:ibm:operational_decision_manager)
IBM Integration Bus (cpe:/a:ibm:integration_bus)
IBM QRadar SIEM 7.5 (cpe:/a:ibm:qradar_siem)
Eclipse Jetty Eclipse Jetty Eclipse Jetty Eclipse Jetty Eclipse Jetty
Common steps to deal with IT safety gaps
- Users of the affected apps ought to keep up-to-date. When safety holes are identified, producers are required to repair them rapidly by growing a patch or workaround. If safety patches can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically incorporates further details about the most recent model of the software program in query and the supply of safety patches or efficiency suggestions.
- If you’ve got any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to repeatedly verify if IT safety alert Affected producers present a brand new safety replace.
Manufacturer details about updates, patches and workarounds
Here you can see some hyperlinks with details about bug studies, safety fixes and workarounds.
Red Hat Security Advisory RHSA-2024:3354 vom 2024-05-24 (23.05.2024)
For extra info, see:
Amazon Linux Security Advisory ALAS-2024-2460 vom 2024-02-19 (19.02.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:0778 vom 2024-02-12 (11.02.2024)
For extra info, see:
IBM Security Bulletin 7108700 vom 2024-01-17 (17.01.2024)
For extra info, see:
Amazon Linux Security Advisory ALAS-2024-2394 vom 2024-01-10 (09.01.2024)
For extra info, see:
IBM Security Bulletin 7099297 vom 2023-12-18 (18.12.2023)
For extra info, see:
IBM Security Bulletin 7070757 vom 2023-11-29 (28.11.2023)
For extra info, see:
IBM Security Bulletin 7082766 vom 2023-11-28 (27.11.2023)
For extra info, see:
IBM Security Bulletin 7076274 vom 2023-11-15 (15.11.2023)
For extra info, see:
Red Hat Security Advisory RHSA-2023:7247 vom 2023-11-16 (15.11.2023)
For extra info, see:
SUSE Security Update SUSE-SU-2023:4210-1 vom 2023-10-26 (26.10.2023)
For extra info, see:
IBM Security Bulletin 7055552 vom 2023-10-20 (19.10.2023)
For extra info, see:
Red Hat Security Advisory RHSA-2023:5946 vom 2023-10-20 (19.10.2023)
For extra info, see:
Red Hat Security Advisory RHSA-2023:5441 vom 2023-10-04 (04.10.2023)
For extra info, see:
Debian Security Advisory DLA-3592 vom 2023-09-30 (01.10.2023)
For extra info, see:
Debian Security Advisory DSA-5507 vom 2023-09-29 (28.09.2023)
For extra info, see:
Eclipse Jetty Safety Tips vom 2023-09-14 (14.09.2023)
For extra info, see:
Version historical past of this safety alert
This is model 15 of this Security Notice for Eclipse Jetty IT. If additional updates are introduced, this doc can be up to date. You can see the modifications made utilizing the model historical past under.
September 14, 2023 – First model
09/28/2023 – New updates from Debian added
10/01/2023 – New updates from Debian added
10/04/2023 – New updates from Red Hat added
10/19/2023 – New updates from Red Hat added
October 26, 2023 – New updates from SUSE added
November 15, 2023 – New updates from Red Hat and IBM added
November 27, 2023 – New updates from IBM added
November 28, 2023 – New updates from IBM added
12/18/2023 – New updates from IBM added
January 9, 2024 – New updates from Amazon added
01/17/2024 – New updates from IBM added
02/11/2024 – New updates from Red Hat have been added
02/19/2024 – New updates from Amazon added
05/23/2024 – New updates from Red Hat added
+++ Editorial word: This doc is predicated on present BSI knowledge and can be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you can see scorching information, present movies and a direct line to the editorial workforce.
kns/roj/information.de