CVE-2021-28164 Overview
CVE-2021-28164 is an information disclosure vulnerability in Eclipse Jetty versions 9.4.37.v20210219 to 9.4.38.v20210224. The default compliance mode in affected versions fails to properly normalize URI paths containing percent-encoded characters, allowing attackers to bypass security constraints and access protected resources within the WEB-INF directory. By crafting malicious requests with %2e (encoded period) or %2e%2e (encoded double period) segments, an unauthenticated remote attacker can retrieve sensitive configuration files such as web.xml, potentially exposing critical implementation details of web applications.
Critical Impact
Unauthenticated attackers can remotely access sensitive configuration files within the WEB-INF directory, exposing application architecture, database credentials, security configurations, and other sensitive implementation details that could facilitate further attacks.
Affected Products
- Eclipse Jetty 9.4.37.v20210219
- Eclipse Jetty 9.4.38.v20210224
- NetApp Cloud Manager
- NetApp E-Series Performance Analyzer
- NetApp E-Series SANtricity OS Controller
- NetApp E-Series SANtricity Web Services
- NetApp Element Plug-in for vCenter Server
- NetApp SANtricity Cloud Connector
- NetApp SnapCenter
- NetApp SnapCenter Plug-in for VMware vSphere
- NetApp Storage Replication Adapter for Clustered Data ONTAP
- NetApp VASA Provider for Clustered Data ONTAP
- NetApp Virtual Storage Console
- Oracle AutoVue for Agile Product Lifecycle Management 21.0.2
- Oracle Banking APIs 20.1 and 21.1
- Oracle Banking Digital Experience 20.1 and 21.1
- Oracle Communications Session Route Manager
- Oracle Siebel Core - Automation
Discovery Timeline
- April 1, 2021 - CVE-2021-28164 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-28164
Vulnerability Analysis
This vulnerability exploits a path normalization flaw in Eclipse Jetty's URI handling mechanism. When processing HTTP requests, Jetty's default compliance mode does not properly decode and normalize percent-encoded path segments before applying security constraints. The vulnerability specifically targets the WEB-INF directory, which is a protected location in Java web applications containing sensitive deployment descriptors, configuration files, and compiled classes.
The attack leverages the fact that %2e represents an encoded period (.) character in URL encoding. When an attacker sends a request containing /context/%2e/WEB-INF/web.xml, Jetty's security check sees the encoded path and fails to recognize it as a traversal attempt. However, during actual resource resolution, the path is decoded, effectively becoming /context/./WEB-INF/web.xml, which resolves to the protected web.xml file.
This information disclosure can reveal database connection strings, authentication configurations, servlet mappings, session timeout values, and other sensitive deployment details that attackers can leverage for subsequent attacks.
Root Cause
The root cause lies in the order of operations within Jetty's request handling pipeline. Security constraint checking occurs before complete URI normalization, creating a race condition where encoded path segments bypass authorization checks. The default compliance mode (RFC7230) does not enforce strict path decoding before security evaluation, allowing the encoded . and .. sequences to evade detection while still being resolved during resource access.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP GET requests to any Jetty-based web application. The attack pattern involves substituting standard path characters with their percent-encoded equivalents:
- /context/%2e/WEB-INF/web.xml - Using single encoded period to access WEB-INF
- /context/%2e%2e/WEB-INF/web.xml - Using encoded double-period for path traversal
- /context/path/%2e/WEB-INF/classes/ - Accessing compiled class files
The attacker sends these requests directly to the web server, and if vulnerable, the server responds with the contents of protected files. This requires only standard HTTP client capabilities, making exploitation trivial from any network location with access to the target server.
Detection Methods for CVE-2021-28164
Indicators of Compromise
- HTTP access logs containing requests with %2e or %2e%2e in the URI path, particularly preceding /WEB-INF/
- Unusual access patterns to configuration files such as web.xml, context.xml, or files within /WEB-INF/classes/
- HTTP 200 responses to requests that should normally return 403 Forbidden for WEB-INF directory access
- Reconnaissance activity from external sources probing multiple path encoding variations
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing encoded path traversal sequences (%2e, %2e%2e, %252e) targeting protected directories
- Implement log analysis to identify requests with percent-encoded periods followed by sensitive directory paths like WEB-INF or META-INF
- Configure intrusion detection systems (IDS) signatures for Eclipse Jetty path traversal patterns
- Monitor for anomalous file access patterns on application servers, particularly read operations on deployment descriptors
Monitoring Recommendations
- Enable detailed HTTP access logging including full URI paths with query parameters and response codes
- Create alerts for successful (HTTP 200) responses to any request containing WEB-INF in the decoded path
- Monitor application server file system access for reads of *.xml configuration files outside normal deployment operations
- Implement real-time log correlation to detect scanning behavior across multiple URI encoding variants
How to Mitigate CVE-2021-28164
Immediate Actions Required
- Upgrade Eclipse Jetty to version 9.4.39.v20210325 or later, which includes the security fix for this vulnerability
- Review web server access logs for evidence of exploitation attempts using encoded path patterns
- Audit any exposed configuration files for sensitive information that may have been disclosed
- Consider rotating credentials and secrets that may have been exposed in web.xml or other configuration files
Patch Information
Eclipse has released version 9.4.39.v20210325 which addresses this vulnerability by enforcing proper URI normalization before security constraint evaluation. The fix ensures that percent-encoded path segments are decoded and normalized prior to access control checks.
For detailed patch information and upgrade instructions, refer to the Eclipse Jetty Security Advisory GHSA-v7ff-8wcx-gmc5.
Organizations using affected NetApp or Oracle products should consult their respective security advisories:
Workarounds
- Configure Jetty to use a stricter URI compliance mode that rejects ambiguous path segments by setting the HttpCompliance level
- Implement web application firewall rules to block requests containing %2e or %2e%2e sequences in the path
- Apply network segmentation to limit external access to Jetty-based application servers
- Deploy a reverse proxy in front of Jetty that normalizes URIs before forwarding requests to the backend
# Jetty configuration to enforce strict URI compliance
# Add to start.ini or equivalent configuration file
--module=http
jetty.httpConfig.uriCompliance=RFC3986
jetty.httpConfig.requestCookieCompliance=RFC6265
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
