CVE-2021-34429 Overview
CVE-2021-34429 is an information disclosure vulnerability in Eclipse Jetty, a popular open-source Java-based HTTP server and servlet container. The vulnerability allows attackers to craft URIs using encoded characters to access the content of the WEB-INF directory and bypass security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5, demonstrating that the initial fix was incomplete.
Critical Impact
Attackers can remotely access sensitive configuration files, deployment descriptors, and potentially source code stored in the WEB-INF directory, leading to unauthorized information disclosure and security constraint bypasses in web applications.
Affected Products
- Eclipse Jetty versions 9.4.37-9.4.42
- Eclipse Jetty versions 10.0.1-10.0.5
- Eclipse Jetty versions 11.0.1-11.0.5
- NetApp E-Series SANtricity OS Controller
- NetApp E-Series SANtricity Web Services
- NetApp Element Plug-in for vCenter Server
- NetApp HCI Management Node
- NetApp Snap Creator Framework
- NetApp SnapCenter Plug-in for VMware vSphere
- NetApp SolidFire
- Oracle AutoVue for Agile Product Lifecycle Management 21.0.2
- Oracle Communications Cloud Native Core Binding Support Function 1.10.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.5.0
- Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0
- Oracle Communications Cloud Native Core Unified Data Repository 1.14.0
- Oracle Communications Diameter Signaling Router
- Oracle Financial Services Crime and Compliance Management Studio
- Oracle REST Data Services
- Oracle Retail EFTLink 20.0.1
- Oracle Stream Analytics
Discovery Timeline
- July 15, 2021 - CVE-2021-34429 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-34429
Vulnerability Analysis
This path traversal vulnerability stems from improper URI normalization in Eclipse Jetty's request handling. The web server fails to properly decode and validate certain encoded characters within request URIs before applying access control checks. As a result, attackers can use URL encoding techniques to construct malicious requests that bypass the standard protections preventing access to the WEB-INF directory.
The WEB-INF directory in Java web applications typically contains sensitive files including web.xml (deployment descriptor), compiled Java classes, library JAR files, and configuration files that should never be directly accessible to clients. Successful exploitation allows attackers to read these protected resources without authentication.
Root Cause
The root cause is an incomplete fix for CVE-2021-28164. The original vulnerability allowed path traversal using certain encoded characters, and while Eclipse attempted to address this, the patch did not account for all possible encoding variations. The URI canonicalization logic fails to properly handle specific combinations of encoded characters before checking access permissions against protected directories.
This represents a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) weakness, where the application exposes information that should be restricted to authorized users only.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker crafts HTTP requests containing specially encoded characters in the URI path that target the WEB-INF directory. When Jetty processes these requests, the access control check occurs against the encoded URI, which does not match the protected path pattern. However, when the request is ultimately resolved, the decoded path points to the protected directory, allowing the attacker to read its contents.
The attack requires no user interaction and can be performed against any vulnerable Jetty server exposed to the network. Exploitation techniques involve using various URL encoding schemes such as double encoding, mixed encoding, or Unicode normalization forms to evade the path validation logic.
Detection Methods for CVE-2021-34429
Indicators of Compromise
- HTTP requests containing unusual URL-encoded sequences targeting /WEB-INF/ paths
- Access logs showing requests with %2e, %2f, %5c, or other encoded path separator characters
- Requests attempting to access web.xml, class files, or configuration files from external sources
- Multiple sequential requests probing different encoding variations against protected directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with suspicious path encoding patterns targeting WEB-INF
- Monitor HTTP access logs for anomalous URL patterns containing multiple levels of encoding or path traversal sequences
- Deploy intrusion detection signatures that identify CVE-2021-34429 exploitation attempts based on known attack patterns
- Utilize SentinelOne's application vulnerability detection to identify running Jetty instances with vulnerable versions
Monitoring Recommendations
- Enable verbose logging on Jetty servers to capture full request URIs including encoded characters
- Set up alerts for any successful responses to requests containing WEB-INF in the decoded path
- Implement real-time log analysis to correlate multiple reconnaissance attempts from the same source
- Monitor for unusual file access patterns in Jetty's context directories
How to Mitigate CVE-2021-34429
Immediate Actions Required
- Upgrade Eclipse Jetty to version 9.4.43 or later for the 9.x branch
- Upgrade Eclipse Jetty to version 10.0.6 or later for the 10.x branch
- Upgrade Eclipse Jetty to version 11.0.6 or later for the 11.x branch
- Review web server access logs for evidence of exploitation attempts
- Audit exposed Jetty instances and ensure they are not directly accessible from untrusted networks
Patch Information
Eclipse has released patched versions addressing this vulnerability. Organizations should update to the following minimum versions:
- Jetty 9.x series: Upgrade to 9.4.43.v20210629 or later
- Jetty 10.x series: Upgrade to 10.0.6 or later
- Jetty 11.x series: Upgrade to 11.0.6 or later
For environments using third-party products that embed Jetty (such as NetApp and Oracle products), refer to the respective vendor security advisories:
- Oracle Critical Patch Update April 2022
- Oracle Critical Patch Update January 2022
- Oracle Critical Patch Update July 2022
- GitHub Security Advisory GHSA-vjv5-gp2w-65vm
Workarounds
- Place a reverse proxy or web application firewall in front of Jetty to normalize and validate URI paths before they reach the application server
- Implement custom security constraints or filters to explicitly deny access to encoded path variations targeting protected directories
- Restrict network access to Jetty instances to trusted sources only using firewall rules
- Deploy additional access control layers at the application level to validate all file access requests
# Example: Update Jetty via Maven dependency
# Update your pom.xml to specify the patched version
# For Jetty 9.x:
# <dependency>
# <groupId>org.eclipse.jetty</groupId>
# <artifactId>jetty-server</artifactId>
# <version>9.4.43.v20210629</version>
# </dependency>
# Verify current Jetty version in running application
# Check for vulnerable versions: 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5
java -jar start.jar --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
