Earlier this week Gotham Digital Science issued a vulnerability disclosure regarding a vulnerability in Jetty Web Servers. CVE-2015-2080, or JetLeak, allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users.
The blog post by Gotham outlines nicely what this vulnerability is and what you need to do address this it. Versions 9.2.3 and later of Jetty Web Server possess the JetLeak vulnerability, and Jetty recommends that users upgrade to version 9.2.9.v20150224 immediately. If you are a Veracode Discovery customer, we can help you. Otherwise, your best option is to use a python testing script developed by Gotham Digital Science. You can find this script here: https://github.com/GDSSecurity/Jetleak-Testing-Script.
But what if you don’t know what version you are using? Or if you have Jetty Web Servers at all? Even though this vulnerability doesn’t have the potential to be as far reaching or impactful as Heartbleed or ShellShock, it once again highlights the importance of knowing how many applications are in your environment. Next time the vulnerability could be more serious, and if you don’t have a method for quickly assessing your environment or finding vulnerabilities, then you can’t react to these critical vulnerability disclosures in a timely manner.
Web applications are the number one attack vector, according to the Verizon Data Breach Report, yet according to SANS, many organizations don’t even know how many applications they have in their portfolio. Our Discovery solution addresses this visibility gap by rapidly creating a global inventory of all your externally-facing web applications such as corporate sites, temporary marketing sites, international domains and sites obtained via M&A.
For more information on the importance of securing web applications listen to the Are You Only Testing Web Apps in Production? webinar.
Learn how a Global 100 Manufacturer Reduces Risk Across 30,000 Domains in Eight Days working with Veracode.