CVE-2021-28163: Eclipse Jetty Information Disclosure Flaw

CVE-2021-28163 Overview

CVE-2021-28163 is an information disclosure vulnerability affecting Eclipse Jetty, a popular open-source Java-based web server and servlet container. The vulnerability occurs when a user configures the webapps directory as a symbolic link (symlink). In this scenario, Jetty incorrectly deploys the contents of the webapps directory as a static web application, inadvertently exposing the webapps themselves and any other files present in that directory to unauthorized access.

This vulnerability falls into the category of symlink attack vulnerabilities (CWE-59) combined with information exposure (CWE-200), where improper handling of symbolic links leads to unintended information disclosure.

Critical Impact
Attackers with administrative access can exploit symlinked webapps directories to expose sensitive application files and directory contents, potentially revealing configuration data, source code, and other sensitive information to unauthorized parties.

Affected Products

Eclipse Jetty 9.4.32 to 9.4.38
Eclipse Jetty 10.0.0.beta2 to 10.0.1
Eclipse Jetty 11.0.0.beta2 to 11.0.1
Apache Ignite (versions using affected Jetty)
Apache Solr 8.8.1
NetApp Cloud Manager
NetApp E-Series Performance Analyzer
NetApp E-Series SANtricity OS Controller
NetApp E-Series SANtricity Web Services
NetApp SnapCenter and SnapCenter Plug-in
Oracle Banking APIs and Digital Experience
Oracle Communications Element Manager, Services Gatekeeper, Session Report Manager, and Session Route Manager
Fedora 32, 33, and 34

Discovery Timeline

April 1, 2021 - CVE-2021-28163 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-28163

Vulnerability Analysis

The vulnerability exists in how Eclipse Jetty handles the webapps directory when it is configured as a symbolic link. When Jetty detects a webapps directory that is actually a symlink pointing to another location, it fails to properly validate and handle this configuration. Instead of processing the web applications within the directory normally, Jetty deploys the entire directory contents as a static web application.

This behavior causes Jetty to serve all files in the directory—including the web applications themselves, their configuration files, and any other files that may exist in the symlinked location—as static content accessible via HTTP requests. The vulnerability requires high privileges to exploit (the attacker needs administrative access to configure the symlink), but once exploited, it can expose sensitive information without requiring user interaction.

Root Cause

The root cause of this vulnerability is improper handling of symbolic links in the Jetty web server's deployment mechanism. Specifically, the deployment logic does not correctly distinguish between a regular webapps directory and one that is a symbolic link. When encountering a symlinked directory, the deployment process incorrectly treats the contents as static resources rather than web applications requiring proper deployment processing.

This is fundamentally a CWE-59 (Improper Link Resolution Before File Access) issue, where the application follows symbolic links without adequate validation, combined with CWE-200 (Exposure of Sensitive Information) as the resulting impact.

Attack Vector

The attack vector for CVE-2021-28163 involves the following scenario:

An attacker with administrative privileges on the Jetty server (or ability to influence server configuration) creates a symbolic link for the webapps directory pointing to a location containing sensitive files
Alternatively, the server may already be configured with a symlinked webapps directory for legitimate operational reasons
When Jetty starts or redeploys, it incorrectly serves the symlinked directory contents as static files
Remote attackers can then access sensitive files that should not be publicly accessible through standard HTTP requests to the Jetty server

The attack requires network access to the Jetty server and depends on specific directory configuration using symbolic links. While the attacker needs high privileges to set up the vulnerable configuration, the information disclosure affects data confidentiality.

Detection Methods for CVE-2021-28163

Indicators of Compromise

Unexpected HTTP 200 responses for requests to paths that should not be accessible (e.g., /WEB-INF/, /META-INF/)
Web server logs showing access to application configuration files or deployment descriptors
Access patterns indicating directory enumeration or browsing of the webapps directory structure

Detection Strategies

Review Jetty server configuration to identify if the webapps directory is configured as a symbolic link using ls -la or similar commands
Monitor web server access logs for requests to internal application files that should not be publicly accessible
Implement file integrity monitoring on the webapps directory to detect symlink creation or modification
Use application security testing tools to probe for exposed internal files and directory listings

Monitoring Recommendations

Enable verbose logging for Jetty deployment activities to capture warnings about symlinked directories
Configure alerts for unusual file access patterns in web server logs, particularly requests for .xml, .properties, or other configuration file extensions
Implement network traffic analysis to detect bulk file downloads from the webapps directory

How to Mitigate CVE-2021-28163

Immediate Actions Required

Verify whether the webapps directory in any Jetty installations is configured as a symbolic link and convert it to a regular directory if possible
Upgrade Eclipse Jetty to a patched version: 9.4.39 or later, 10.0.2 or later, or 11.0.2 or later
Review server configurations across all environments (development, staging, production) for this misconfiguration
Audit web server access logs for any signs of information disclosure that may have already occurred

Patch Information

Eclipse has released patched versions that properly handle symlinked webapps directories. Organizations should upgrade to the following versions:

Jetty 9.4.x: Upgrade to version 9.4.39 or later
Jetty 10.x: Upgrade to version 10.0.2 or later
Jetty 11.x: Upgrade to version 11.0.2 or later

For products that embed Jetty, refer to vendor-specific advisories:

Oracle January 2022 CPU and October 2021 CPU for Oracle products
NetApp Security Advisory NTAP-20210611-0006 for NetApp products
GitHub Security Advisory GHSA-j6qj-j888-vvgq for detailed technical information

Workarounds

Replace any symbolic links used for the webapps directory with actual directories containing the web applications
Implement web application firewall (WAF) rules to block requests attempting to access internal application paths like /WEB-INF/ or /META-INF/
Restrict network access to the Jetty server to only trusted networks and authorized users until patching can be completed

bash

# Check if webapps directory is a symlink
ls -la /path/to/jetty/webapps

# If it's a symlink, replace with actual directory
# 1. Backup current symlink target
cp -rL /path/to/jetty/webapps /path/to/jetty/webapps_backup

# 2. Remove the symlink
rm /path/to/jetty/webapps

# 3. Move backup to original location
mv /path/to/jetty/webapps_backup /path/to/jetty/webapps

# 4. Restart Jetty
systemctl restart jetty

CVE-2021-28163 Overview

Critical Impact
Attackers with administrative access can exploit symlinked webapps directories to expose sensitive application files and directory contents, potentially revealing configuration data, source code, and other sensitive information to unauthorized parties.

Affected Products

Eclipse Jetty 9.4.32 to 9.4.38
Eclipse Jetty 10.0.0.beta2 to 10.0.1
Eclipse Jetty 11.0.0.beta2 to 11.0.1
Apache Ignite (versions using affected Jetty)
Apache Solr 8.8.1
NetApp Cloud Manager
NetApp E-Series Performance Analyzer
NetApp E-Series SANtricity OS Controller
NetApp E-Series SANtricity Web Services
NetApp SnapCenter and SnapCenter Plug-in
Oracle Banking APIs and Digital Experience
Oracle Communications Element Manager, Services Gatekeeper, Session Report Manager, and Session Route Manager
Fedora 32, 33, and 34

Discovery Timeline

April 1, 2021 - CVE-2021-28163 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-28163

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for CVE-2021-28163 involves the following scenario:

An attacker with administrative privileges on the Jetty server (or ability to influence server configuration) creates a symbolic link for the webapps directory pointing to a location containing sensitive files
Alternatively, the server may already be configured with a symlinked webapps directory for legitimate operational reasons
When Jetty starts or redeploys, it incorrectly serves the symlinked directory contents as static files
Remote attackers can then access sensitive files that should not be publicly accessible through standard HTTP requests to the Jetty server

Detection Methods for CVE-2021-28163

Indicators of Compromise

Unexpected HTTP 200 responses for requests to paths that should not be accessible (e.g., /WEB-INF/, /META-INF/)
Web server logs showing access to application configuration files or deployment descriptors
Access patterns indicating directory enumeration or browsing of the webapps directory structure

Detection Strategies

Review Jetty server configuration to identify if the webapps directory is configured as a symbolic link using ls -la or similar commands
Monitor web server access logs for requests to internal application files that should not be publicly accessible
Implement file integrity monitoring on the webapps directory to detect symlink creation or modification
Use application security testing tools to probe for exposed internal files and directory listings

Monitoring Recommendations

Enable verbose logging for Jetty deployment activities to capture warnings about symlinked directories
Configure alerts for unusual file access patterns in web server logs, particularly requests for .xml, .properties, or other configuration file extensions
Implement network traffic analysis to detect bulk file downloads from the webapps directory

How to Mitigate CVE-2021-28163

Immediate Actions Required

Verify whether the webapps directory in any Jetty installations is configured as a symbolic link and convert it to a regular directory if possible
Upgrade Eclipse Jetty to a patched version: 9.4.39 or later, 10.0.2 or later, or 11.0.2 or later
Review server configurations across all environments (development, staging, production) for this misconfiguration
Audit web server access logs for any signs of information disclosure that may have already occurred

Patch Information

Eclipse has released patched versions that properly handle symlinked webapps directories. Organizations should upgrade to the following versions:

Jetty 9.4.x: Upgrade to version 9.4.39 or later
Jetty 10.x: Upgrade to version 10.0.2 or later
Jetty 11.x: Upgrade to version 11.0.2 or later

For products that embed Jetty, refer to vendor-specific advisories:

Oracle January 2022 CPU and October 2021 CPU for Oracle products
NetApp Security Advisory NTAP-20210611-0006 for NetApp products
GitHub Security Advisory GHSA-j6qj-j888-vvgq for detailed technical information

Workarounds

Replace any symbolic links used for the webapps directory with actual directories containing the web applications
Implement web application firewall (WAF) rules to block requests attempting to access internal application paths like /WEB-INF/ or /META-INF/
Restrict network access to the Jetty server to only trusted networks and authorized users until patching can be completed

bash

# Check if webapps directory is a symlink
ls -la /path/to/jetty/webapps

# If it's a symlink, replace with actual directory
# 1. Backup current symlink target
cp -rL /path/to/jetty/webapps /path/to/jetty/webapps_backup

# 2. Remove the symlink
rm /path/to/jetty/webapps

# 3. Move backup to original location
mv /path/to/jetty/webapps_backup /path/to/jetty/webapps

# 4. Restart Jetty
systemctl restart jetty

CVE-2021-28163: Eclipse Jetty Information Disclosure Flaw

CVE-2021-28163 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-28163

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-28163

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-28163

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-28163: Eclipse Jetty Information Disclosure Flaw

CVE-2021-28163 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-28163

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-28163

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-28163

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform