Security issues with Subsonic/Jetty 6.1.x

Need help? Post your questions here.

Moderator: moderators

Security issues with Subsonic/Jetty 6.1.x

Postby pcp » Fri Apr 13, 2018 7:31 pm

I run a Subsonic server using v6.1.3 (build e408c9) on Ubuntu 16.04, and I have a private domain name secured with an SSL certificate from Let's Encrypt.

Port 443 for the https Subsonic site is the only port open on my public IP. I recently ran a vulnerability scan on it and found a list of security vulnerabilities in the web server configuration and Jetty 6.1.3:

-The SSL/TLS Server supports TLSv1.0
-X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security HTTP headers are missing
-Cookie doesn't contain the "secure" or "HTTPOnly" attributes
-Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability
-J2EE Misconfiguration: Insufficient session ID length (should be 128-bits)

And regardless of version, Jetty 6.x and 7.x have these vulnerabilities:
- Dump Servlet information leak
- FORM Authentication demo information leak
- JSP Dump reflected XSS
- Session Dump Servlet stored XSS
- Cookie Dump Servlet escape sequence injection
- Http Content-Length header escape sequence injection
- Cookie Dump Servlet stored XSS
- WebApp JSP Snoop page XSS

I'm guessing some (if not all) of these could be solved by using the latest Jetty...but I'm not familiar enough to understand whether it's possible for me to upgrade to v8 or the latest v9.49 with the existing closed-source Subsonic. Is it?

If that's not possible, does anyone know how I could reconfigure the existing Jetty to close some of these holes?

Posts: 1
Joined: Fri Apr 13, 2018 6:02 pm

Return to Help

Who is online

Users browsing this forum: No registered users and 20 guests