CVE-2021-34428 Overview
CVE-2021-34428 is a session management vulnerability affecting Eclipse Jetty, a popular open-source Java-based HTTP server, HTTP client, and servlet container. The vulnerability occurs when an exception is thrown from the SessionListener#sessionDestroyed() method, causing the session ID to remain valid in the session ID manager instead of being properly invalidated.
This flaw is particularly concerning in deployments utilizing clustered sessions with multiple contexts, where it can result in a session not being invalidated across the cluster. In practical terms, this means an application used on a shared computer could remain logged in even after the user believes they have logged out, potentially exposing sensitive information to subsequent users of the same system.
Critical Impact
On shared systems with clustered sessions, users may remain logged in after session destruction fails, creating unauthorized access opportunities for subsequent physical users.
Affected Products
- Eclipse Jetty versions <= 9.4.40
- Eclipse Jetty versions <= 10.0.2
- Eclipse Jetty versions <= 11.0.2
- Debian Linux 10.0
- NetApp Active IQ Unified Manager (Linux and Windows)
- NetApp E-Series SANtricity OS Controller
- NetApp E-Series SANtricity Web Services
- NetApp Element Plug-in for vCenter Server
- NetApp SANtricity Cloud Connector
- NetApp Snap Creator Framework
- NetApp SnapManager for SAP
- Oracle AutoVue for Agile Product Lifecycle Management 21.0.2
- Oracle Communications Element Manager 8.2.2
- Oracle Communications Services Gatekeeper 7.0
- Oracle Communications Session Report Manager
- Oracle Communications Session Route Manager
- Oracle REST Data Services
- Oracle Siebel Core - Automation
Discovery Timeline
- 2021-06-22 - CVE-2021-34428 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-34428
Vulnerability Analysis
This vulnerability falls under CWE-613 (Insufficient Session Expiration), representing an improper session management flaw in Jetty's session handling mechanism. The core issue lies in the exception handling logic within the session destruction process.
When a web application registers a SessionListener to perform cleanup operations during session destruction, Jetty invokes the sessionDestroyed() callback method. Under normal circumstances, after this callback completes, Jetty removes the session ID from its internal session ID manager, ensuring the session cannot be reused.
However, when an exception is thrown from within the sessionDestroyed() method, the subsequent session ID invalidation code is bypassed. The session ID remains registered as valid in the session ID manager, even though the session object itself may have been partially cleaned up.
Root Cause
The root cause stems from inadequate exception handling in Jetty's session lifecycle management code. The session invalidation logic does not properly handle exceptions thrown by application-level SessionListener implementations. Instead of ensuring the session ID is always invalidated regardless of listener exceptions, the code allows the exception to propagate, leaving the session ID in a valid state within the session ID manager.
This design flaw violates the principle that security-critical operations (like session invalidation) should complete even when non-critical operations (like application cleanup callbacks) fail.
Attack Vector
The attack vector for this vulnerability requires physical access to a shared computer where the vulnerable application is deployed. The exploitation scenario unfolds as follows:
- A legitimate user authenticates to a Jetty-based web application on a shared computer
- The user attempts to log out, triggering session destruction
- The application's SessionListener#sessionDestroyed() method throws an exception during cleanup
- The session ID remains valid in the session ID manager due to the incomplete invalidation
- In clustered environments, the session may remain valid across multiple application contexts
- A subsequent physical user of the same computer may be able to access the previous user's session
The vulnerability is particularly impactful in environments with clustered sessions where session state is shared across multiple application contexts or server instances, as the incomplete invalidation affects the entire cluster.
Detection Methods for CVE-2021-34428
Indicators of Compromise
- Unexpected session persistence in application logs after user logout attempts
- Exceptions logged from SessionListener#sessionDestroyed() implementations followed by session reuse
- Session IDs appearing active in session ID manager after destruction was requested
- Audit logs showing access to authenticated resources after logout events
Detection Strategies
- Review application logs for exceptions thrown during session destruction events
- Monitor for patterns where logout actions are followed by continued session activity
- Implement session auditing to track session lifecycle events and detect anomalies
- Deploy application performance monitoring to identify exception patterns in SessionListener callbacks
Monitoring Recommendations
- Enable verbose session lifecycle logging in Jetty to capture destruction events and failures
- Implement custom monitoring for session ID manager state to detect orphaned sessions
- Configure alerts for exception patterns in session listener execution
- Monitor clustered session replication logs for inconsistent session states across nodes
How to Mitigate CVE-2021-34428
Immediate Actions Required
- Upgrade Eclipse Jetty to version 9.4.41, 10.0.3, or 11.0.3 or later
- Audit all SessionListener implementations to ensure proper exception handling
- Wrap session listener code in try-catch blocks to prevent exceptions from propagating
- Review clustered session configurations and validate session invalidation across contexts
Patch Information
Eclipse has released patched versions addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Jetty 9.x: Upgrade to version 9.4.41 or later
- Jetty 10.x: Upgrade to version 10.0.3 or later
- Jetty 11.x: Upgrade to version 11.0.3 or later
For detailed information, refer to the GitHub Security Advisory. Additional vendor-specific patches are available from Oracle Security Alert October 2021, Oracle Security Alert January 2022, and NetApp Security Advisory NTAP-20210813-0003.
Workarounds
- Implement defensive exception handling in all SessionListener#sessionDestroyed() methods to prevent exception propagation
- Consider implementing a wrapper listener that catches and logs exceptions while ensuring cleanup completes
- For shared computer environments, implement additional client-side session cleanup mechanisms
- Reduce session timeout values to limit the exposure window for orphaned sessions
# Configuration example - Review and harden session listener implementations
# Ensure all SessionListener implementations follow this pattern:
# In your web application's SessionListener:
# 1. Wrap all sessionDestroyed() logic in try-catch blocks
# 2. Log exceptions but do not rethrow them
# 3. Ensure critical cleanup completes even on partial failures
# Jetty upgrade example using Maven:
# Update pom.xml to use patched version:
# <dependency>
# <groupId>org.eclipse.jetty</groupId>
# <artifactId>jetty-server</artifactId>
# <version>9.4.41.v20210516</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
