CVE-2020-27216 Overview
CVE-2020-27216 is a local privilege escalation vulnerability affecting Eclipse Jetty, a popular Java-based web server and servlet container. On Unix-like systems, the system's temporary directory is shared between all users, creating an opportunity for a collocated attacker to exploit a race condition during the creation of temporary subdirectories. A malicious local user can observe the process of creating a temporary subdirectory and race to complete its creation, potentially gaining read and write access to the directory used for unpacking web applications, including sensitive files such as WEB-INF/lib JAR files and JSP files.
Critical Impact
Successful exploitation allows a local attacker to gain elevated privileges by manipulating temporary directory permissions, potentially leading to code execution within the context of the Jetty server process.
Affected Products
- Eclipse Jetty versions 1.0 through 9.4.32.v20200930
- Eclipse Jetty versions 10.0.0.alpha1 through 10.0.0.beta2
- Eclipse Jetty versions 11.0.0.alpha1 through 11.0.0.beta2
- NetApp Snap Creator Framework, SnapCenter, VASA Provider, Virtual Storage Console, Storage Replication Adapter
- VMware vSphere
- Oracle Communications Application Session Controller, Converged Application Server, Element Manager, and other Oracle products
- Apache Beam versions 2.21.0 through 2.25.0
- Debian Linux 9.0 and 10.0
Discovery Timeline
- 2020-10-23 - CVE CVE-2020-27216 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-27216
Vulnerability Analysis
This vulnerability is classified under CWE-378 (Creation of Temporary File With Insecure Permissions) and represents a Time-of-Check Time-of-Use (TOCTOU) race condition. The flaw exists in how Eclipse Jetty handles the creation of temporary subdirectories when unpacking web applications on Unix-like systems.
When Jetty creates temporary directories, it does so in the system's shared /tmp directory without adequate protection against race conditions. An attacker with local access to the same system can monitor the directory creation process and exploit the timing window between when Jetty checks for the directory's existence and when it actually sets the appropriate permissions.
If the attacker successfully wins the race, they gain read and write permissions to the temporary subdirectory. This directory contains unpacked web application resources including JAR files from WEB-INF/lib and JSP source files. With write access to these locations, an attacker could inject malicious code that would be executed when the web application loads these resources.
Root Cause
The root cause is insecure handling of temporary file and directory creation in a shared temporary directory environment. On Unix-like systems, the /tmp directory is world-readable and world-writable by default, and Jetty's temporary directory creation mechanism did not employ atomic operations or secure creation flags to prevent race conditions. The vulnerability arises from the predictable naming and non-atomic creation of temporary subdirectories, combined with the shared nature of the system's temporary directory.
Attack Vector
Exploitation requires local access to the target system where Jetty is running. The attack proceeds as follows:
- The attacker monitors the shared temporary directory (/tmp) for Jetty's directory creation activities
- When Jetty initiates creation of a temporary subdirectory for unpacking a web application, the attacker races to create the directory first
- If successful, the attacker's directory is used, granting them ownership and full permissions
- The attacker can then place malicious JAR files or modified JSP files in the directory
- When Jetty subsequently loads resources from this directory, the malicious code executes with Jetty's privileges
The vulnerability mechanism involves predictable temporary directory naming patterns and a race window during directory creation. See the GitHub Security Advisory GHSA-g3wg-6mcf-8jj6 for detailed technical information about the exploitation mechanics.
Detection Methods for CVE-2020-27216
Indicators of Compromise
- Unusual directory ownership changes within /tmp directories associated with Jetty or Java applications
- Multiple rapid creation and modification events in the system temporary directory coinciding with Jetty web application deployments
- Unexpected JAR files or modified JSP files in Jetty's temporary unpacking directories
- Process monitoring showing multiple users accessing the same temporary subdirectory path
Detection Strategies
- Monitor file system events in /tmp and Jetty-specific temporary directories for suspicious race condition patterns
- Implement audit logging for directory creation operations by the Jetty process
- Use integrity monitoring tools to detect unauthorized modifications to unpacked web application files
- Monitor for unusual process spawning from the Jetty server context that may indicate code injection
Monitoring Recommendations
- Enable auditd rules to track mkdir and mkdtemp syscalls in the temporary directory space
- Configure SentinelOne or similar EDR solutions to alert on suspicious file operations in Java application temporary directories
- Implement periodic integrity checks on deployed web application resources
- Monitor for local users attempting to access or modify directories owned by the Jetty service account
How to Mitigate CVE-2020-27216
Immediate Actions Required
- Upgrade Eclipse Jetty to version 9.4.33.v20201020 or later, 10.0.0.beta3 or later, or 11.0.0.beta3 or later
- Configure Jetty to use a dedicated, user-specific temporary directory with restricted permissions
- Review and restrict local user access on systems running Jetty servers
- Implement file system monitoring on critical temporary directories
Patch Information
Eclipse has released patched versions that address this vulnerability. For Jetty 9.4.x, upgrade to version 9.4.33.v20201020 or later. For Jetty 10.x, upgrade to 10.0.0.beta3 or later. For Jetty 11.x, upgrade to 11.0.0.beta3 or later. Detailed patch information is available in the Eclipse Bug Report #567921 and the GitHub Security Advisory.
For Oracle products, refer to the Oracle CPU January 2021, April 2021, July 2021, and October 2021 advisories for product-specific patches.
Workarounds
- Set the java.io.tmpdir system property to a dedicated directory with permissions restricted to the Jetty service account only
- Use umask settings to ensure restrictive default permissions on newly created directories
- Mount the temporary directory with the nosuid and noexec options to limit potential exploitation impact
- Consider running Jetty in a containerized environment with isolated temporary storage
# Configuration example
# Create a dedicated temporary directory for Jetty with restricted permissions
mkdir -p /var/jetty/tmp
chown jetty:jetty /var/jetty/tmp
chmod 700 /var/jetty/tmp
# Configure Jetty to use the dedicated temporary directory
# Add to Jetty startup configuration or JAVA_OPTIONS
JAVA_OPTIONS="-Djava.io.tmpdir=/var/jetty/tmp"
# Alternative: Set in jetty.sh or systemd service file
# Environment="JAVA_OPTIONS=-Djava.io.tmpdir=/var/jetty/tmp"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
