CVE-2017-7657: HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).

Document ID : KB000122905
Last Modified Date : 12/12/2018
Show Technical Document Details
Question:
Vulnerability report shows CVE-2017-7657: HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2)

Library names:
jetty-http
jetty-server
jetty-util 
jetty-servlet

Is Identity Manager exposed to this vulnerability?
Answer:
Identity Manager is not exposed to this vulnerability.

Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.