CVE-2017-9735 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-9735?

CVE-2017-9735 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-9735?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Oracle Communications Cloud Native Core Policy, Oracle Enterprise Manager Base Platform, Oracle Hospitality Guest Access.

Vulnerability Description

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Eclipse	Jetty	< 9.2.22
Debian	Debian Linux	9.0
Oracle	Communications Cloud Native Core Policy	1.5.0
Oracle	Enterprise Manager Base Platform	13.2
Oracle	Hospitality Guest Access	4.2.0
Oracle	Rest Data Services	11.2.0.4
Oracle	Retail Xstore Point Of Service	7.1

Related Weaknesses (CWE)

CWE-203

References

http://www.securityfocus.com/bid/99104Third Party AdvisoryVDB Entry
https://bugs.debian.org/864631Issue TrackingMailing ListThird Party Advisory
https://github.com/eclipse/jetty.project/issues/1556Issue TrackingPatchThird Party Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885
https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e
https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d28
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd9
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlMailing ListThird Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/99104Third Party AdvisoryVDB Entry
https://bugs.debian.org/864631Issue TrackingMailing ListThird Party Advisory

FAQ

What is CVE-2017-9735?

CVE-2017-9735 is a vulnerability with a CVSS score of 7.5 (HIGH). Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect pa...

How severe is CVE-2017-9735?

CVE-2017-9735 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-9735?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Oracle Communications Cloud Native Core Policy, Oracle Enterprise Manager Base Platform, Oracle Hospitality Guest Access.