JetLeak vulnerability
Description
JetLeak is a critical information leakage vulnerability affecting Jetty web server versions 9.2.3 through 9.2.8. The vulnerability occurs when the server receives HTTP requests containing illegal or malformed characters in header values. Due to improper exception handling, the server inadvertently returns approximately 16 bytes of uninitialized data from a shared internal buffer, potentially exposing sensitive information from previous requests processed by the same buffer.
Remediation
Immediately upgrade Jetty to version 9.2.9.v20150224 or later, which contains a fix for this vulnerability. Follow these steps to remediate:
1. Identify all systems running affected Jetty versions (9.2.3 through 9.2.8)
2. Download the latest stable Jetty release from the official Eclipse Jetty download page
3. Test the upgrade in a non-production environment to ensure compatibility
4. Schedule a maintenance window and deploy the updated version to production systems
5. Verify the upgrade by checking the Jetty version in server logs or startup output
6. Review application logs for any suspicious activity that may indicate prior exploitation
If immediate upgrading is not possible, implement network-level controls to restrict access to the Jetty server until patching can be completed. Note that there is no effective workaround for this vulnerability other than upgrading to a patched version.