#VU9654 Brute-force attack in Jetty


| Updated: 2023-11-22

Vulnerability identifier: #VU9654

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-9735

CWE-ID: CWE-208

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jetty
Server applications / Web servers

Vendor: Eclipse

Description
The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to a timing channel in util/security/Password.java, which allows a remote attacker to perform a brute-force attack by observing elapsed times before rejection of incorrect passwords.

Mitigation
Update to version 9.4.6.v20170531, 9.3.20.v20170531 or jetty-9.2.22.v20170606.

Vulnerable software versions

Jetty: 9.2.0.v20140526 - 9.4.5.v20170502

External links
http://github.com/eclipse/jetty.project/issues/1556

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Security Verify Directory
Crowd Data Center and Server update for jetty-util
Multiple vulnerabilities in IBM Security Directory Integrator
Jira Software Data Center and Server update for Jetty
Multiple vulnerabilities in IBM Storage Protect Server
Multiple vulnerabilities in Dell CloudLink
Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy
Multiple vulnerabilities in Dell Support Assist Enterprise
Security restrictions bypass in Eclipse Jetty