CVE-2021-34428 : Security Advisory and Response
Understand CVE-2021-34428 impacting Eclipse Jetty versions. Learn about the session invalidation issue, its impact, and mitigation steps. Stay secure with updates.
This article provides detailed information about CVE-2021-34428, focusing on Eclipse Jetty vulnerability.
Understanding CVE-2021-34428
CVE-2021-34428 is a vulnerability impacting Eclipse Jetty versions, potentially leading to session invalidation issues.
What is CVE-2021-34428?
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, an exception thrown from the SessionListener#sessionDestroyed() method may not invalidate the session ID, potentially leaving a user logged in on a shared computer.
The Impact of CVE-2021-34428
The vulnerability, with a CVSS base score of 2.9, poses a low severity risk, affecting confidentiality, integrity, and availability.
Technical Details of CVE-2021-34428
This section dives deeper into the vulnerability's description, affected systems, and exploitation mechanism.
Vulnerability Description
When an exception occurs in the mentioned method, the session ID is not always invalidated, causing potential session persistence.
Affected Systems and Versions
Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2 are impacted by this vulnerability.
Exploitation Mechanism
The issue arises in clustered session deployments with multiple contexts, leading to sessions not being properly invalidated.
Mitigation and Prevention
Discover the immediate steps to take, security best practices, and the importance of patching and updates.
Immediate Steps to Take
Ensure session invalidation after exceptions in Eclipse Jetty. Monitor sessions for unexpected persistence.
Long-Term Security Practices
Regularly update Jetty to the latest patched versions. Implement secure session management practices to mitigate similar risks.
Patching and Updates
Stay informed about security advisories and promptly apply relevant patches to address known vulnerabilities.