[SECURITY] Mirth Connect 3.12.0 Vulnerable to multiple CVE's

[mikenike360]

A recent Vulnerability scan is showing that Mirth Connect 3.12.0 is vulnerable to the follow CVE's:

CVE-2021-28165 - Eclipse Jetty DoS Vulnerability (GHSA-26vr-8j45-3r4w) - Windows - "Eclipse Jetty version 7.2.2 through 9.4.38, 10.0.0.alpha0 through 10.0.1 and 11.0.0.alpha0 through 11.0.1." - Suggested remediation is to upgrade to at least version 10.0.2 or 11.0.2

CVE-2019-17632 -Eclipse Jetty XSS Vulnerability - CVE-2019-17632 (Windows) - Eclipse Jetty version 9.4.21.v20190926, 9.4.22.v20191022 and 9.4.23.v20191118. - Suggested remediation is to upgrade to at least version 10.0 or 11.0

CVE-2020-27223 - Eclipse Jetty DoS Vulnerability (GHSA-m394-8rww-3jr7) - Windows - Eclipse Jetty versions 9.4.6.v20170531 - 9.4.36.v20210114, 10.0.0 and 11.0.0. - Suggested remediation is to upgrade to at least version 10.0.1 or 11.0.1

CVE-2020-27218 - Eclipse Jetty Gzip Vulnerability (Windows) - "Eclipse Jetty versions 9.4.0.RC0 - 9.4.34.v20201102, 10.0.0.alpha0 - 10.0.0.beta2 and 11.0.0.alpha0 - 11.0.0.beta2." - Suggested remediation is to upgrade to at least version 10.0.1 or 11.0.1

CVE-2021-34428 - Eclipse Jetty Session Vulnerability (GHSA-m6cp-vxjx-65j6) - Windows - "Eclipse Jetty version 9.4.40.v20210413 and prior, 10.x through 10.0.2 and 11.x through 11.0.2." - - Suggested remediation is to upgrade to at least version 10.0.3 or 11.0.3

In order to resolve all of these CVE's Eclipse Jetty will need to upgraded to at least version 10.0.3 or 11.0.3

[pacmano1]

I don't understand your issue. If you have a security scan that identifies components that have outstanding CVEs, share that. And your title says 3.12 but you have 3.8.0 in your post. I would not share scans on 3.8.0 though.

[mikenike360]

I don't understand your issue. If you have a security scan that identifies components that have outstanding CVEs, share that. And your title says 3.12 but you have 3.8.0 in your post. I would not share scans on 3.8.0 though.

I accidentally hit submit before I was done with the post :) Please see the updates!

[yudong]

Hi there,

I am using Mirth Connect 3.12.0 as Docker Container. Following is a list of CVE scanned by grype tool Anchore:

Please let me know if you need more information or need help to scan for new/test version.

Thanks for your good work.

Component version used, version fixed cve severity

apache-jsp 9.4.21.v20190926 CVE-2020-27216 High
apache-jsp 9.4.21.v20190926 CVE-2021-28165 High
apache-jsp 8.5.40 CVE-2015-8751 High
commons-beanutils 1.9.3 1.9.4 GHSA-6phf-73q6-gh87 High
commons-beanutils 1.9.3 CVE-2019-10086 High
commons-compress 1.17 1.19 GHSA-53x6-4x5p-rrvv High
commons-compress 1.17 1.21 GHSA-7hfm-57qf-j43q High
commons-compress 1.17 1.21 GHSA-crv7-7245-f45f High
commons-compress 1.17 1.21 GHSA-mc84-pj99-q6hh High
commons-compress 1.17 1.21 GHSA-xqfj-vm6h-2x34 High
commons-compress 1.17 CVE-2019-12402 High
commons-compress 1.17 CVE-2021-35515 High
commons-compress 1.17 CVE-2021-35516 High
commons-compress 1.17 CVE-2021-35517 High
commons-compress 1.17 CVE-2021-36090 High
commons-email 1.3.1 CVE-2017-9801 High
commons-email 1.3.1 CVE-2018-1294 High
commons-fileupload 1.2.1 1.3.2 GHSA-fvm3-cfvj-gxqq High
commons-fileupload 1.2.1 1.3.1 GHSA-xx68-jfcg-xmmf High
commons-fileupload 1.2.1 1.3.3 GHSA-7x9j-7223-rg5m Critical
commons-fileupload 1.2.1 CVE-2014-0050 High
commons-fileupload 1.2.1 CVE-2016-1000031 Critical
commons-fileupload 1.2.1 CVE-2016-3092 High
derby 10.10.2.0 CVE-2015-1832 Critical
geronimo-j2ee-management_1.1_spec 1.0.1 CVE-2011-5034 High
geronimo-jms_1.1_spec 1.1.1 CVE-2011-5034 High
http-client CVE-2016-6286 High
http-client CVE-2016-6287 High
http-client CVE-2020-11021 High
http-server CVE-1999-0236 High
http-server CVE-1999-1125 High
http-server CVE-1999-1199 High
http-server CVE-1999-1237 High
http-server CVE-1999-1293 High
http-server CVE-2003-0789 High
http-server CVE-2003-0987 High
http-server CVE-2004-2343 High
http-server CVE-2007-0086 High
http-server CVE-2009-1890 High
http-server CVE-2009-1891 High
http-server CVE-2013-2249 High
http-server CVE-2016-5387 High
http-server CVE-2017-1000118 High
http-server CVE-2017-9788 Critical
http-server CVE-2017-9798 High
http-server CVE-2018-1303 High
http-server CVE-2021-34798 High
http-server CVE-2021-39275 Critical
http-server CVE-2021-40438 Critical
itext 2.1.7 CVE-2017-9096 High
jasypt 1.7.1 CVE-2014-9970 High
javax.mail 1.5.0 CVE-2016-4879 High
javax.mail 1.5.0 CVE-2017-15806 High
jdom 1.1.1 CVE-2021-33813 High
jersey-client 2.22.1 CVE-2014-3643 High
jersey-common 2.22.1 CVE-2014-3643 High
jersey-container-jetty-http 2.22.1 CVE-2014-3643 High
jersey-container-jetty-servlet 2.22.1 CVE-2014-3643 High
jersey-container-servlet 2.22.1 CVE-2014-3643 High
jersey-container-servlet-core 2.22.1 CVE-2014-3643 High
jersey-guava 2.22.1 CVE-2014-3643 High
jersey-media-jaxb 2.22.1 CVE-2014-3643 High
jersey-media-multipart 2.22.1 CVE-2014-3643 High
jersey-proxy-client 2.22.1 CVE-2014-3643 High
jersey-server 2.22.1 CVE-2014-3643 High
jetty-annotations 9.4.21.v20190926 CVE-2020-27216 High
jetty-annotations 9.4.21.v20190926 CVE-2021-28165 High
jetty-continuation 9.4.21.v20190926 CVE-2020-27216 High
jetty-continuation 9.4.21.v20190926 CVE-2021-28165 High
jetty-http 9.4.21.v20190926 CVE-2020-27216 High
jetty-http 9.4.21.v20190926 CVE-2021-28165 High
jetty-io 9.4.21.v20190926 9.4.39 GHSA-26vr-8j45-3r4w High
jetty-io 9.4.21.v20190926 CVE-2020-27216 High
jetty-io 9.4.21.v20190926 CVE-2021-28165 High
jetty-plus 9.4.21.v20190926 CVE-2020-27216 High
jetty-plus 9.4.21.v20190926 CVE-2021-28165 High
jetty-rewrite 9.4.21.v20190926 CVE-2020-27216 High
jetty-rewrite 9.4.21.v20190926 CVE-2021-28165 High
jetty-schemas 3.1.M0 CVE-2009-5045 High
jetty-schemas 3.1.M0 CVE-2017-7656 High
jetty-schemas 3.1.M0 CVE-2017-7657 Critical
jetty-schemas 3.1.M0 CVE-2017-7658 Critical
jetty-schemas 3.1.M0 CVE-2017-9735 High
jetty-schemas 3.1.M0 CVE-2020-27216 High
jetty-security 9.4.21.v20190926 CVE-2020-27216 High
jetty-security 9.4.21.v20190926 CVE-2021-28165 High
jetty-server 9.4.21.v20190926 CVE-2020-27216 High
jetty-server 9.4.21.v20190926 CVE-2021-28165 High
jetty-servlet 9.4.21.v20190926 CVE-2020-27216 High
jetty-servlet 9.4.21.v20190926 CVE-2021-28165 High
jetty-util 9.4.21.v20190926 CVE-2020-27216 High
jetty-util 9.4.21.v20190926 CVE-2021-28165 High
jetty-webapp 9.4.21.v20190926 9.4.33 GHSA-g3wg-6mcf-8jj6 High
jetty-webapp 9.4.21.v20190926 CVE-2020-27216 High
jetty-webapp 9.4.21.v20190926 CVE-2021-28165 High
jetty-xml 9.4.21.v20190926 CVE-2020-27216 High
jetty-xml 9.4.21.v20190926 CVE-2021-28165 High
log4j 1.2.16 GHSA-2qrg-x229-3v8q Critical
log4j 1.2.16 CVE-2019-17571 Critical
mssql-jdbc 8.4.1 CVE-2017-16055 High
mybatis 3.1.1 3.5.6 GHSA-qq48-m4jx-xqh8 High
mybatis 3.1.1 CVE-2020-26945 High
netty-reactive-streams 2.0.5 CVE-2015-2156 High
netty-reactive-streams 2.0.5 CVE-2019-16869 High
netty-reactive-streams 2.0.5 CVE-2019-20444 Critical
netty-reactive-streams 2.0.5 CVE-2019-20445 Critical
netty-reactive-streams 2.0.5 CVE-2021-37136 High
netty-reactive-streams 2.0.5 CVE-2021-37137 High
netty-reactive-streams-http 2.0.5 CVE-2015-2156 High
netty-reactive-streams-http 2.0.5 CVE-2019-16869 High
netty-reactive-streams-http 2.0.5 CVE-2019-20444 Critical
netty-reactive-streams-http 2.0.5 CVE-2019-20445 Critical
netty-reactive-streams-http 2.0.5 CVE-2021-37136 High
netty-reactive-streams-http 2.0.5 CVE-2021-37137 High
smtp-server CVE-2006-2107 High
soapui 4.0.1 CVE-2014-1202 High
soapui 4.0.1 CVE-2019-12180 High
urllib3 1.24.2 1.26.5 GHSA-q2q7-5pp4-w6pg High
urllib3 1.24.2 CVE-2021-33503 High
webadmin CVE-2003-0471 High
xstream 1.4.12 1.4.14-jdk7 GHSA-mw36-7c6c-q4q2 High
xstream 1.4.12 1.4.17 GHSA-7chv-rrw6-w6fc High
xstream 1.4.12 1.4.18 GHSA-6w62-hx7r-mw68 High
xstream 1.4.12 1.4.18 GHSA-2q8x-2p7f-574v High
xstream 1.4.12 1.4.18 GHSA-hph2-m3g5-xxv4 High
xstream 1.4.12 1.4.18 GHSA-3ccq-5vw3-2p6x High
xstream 1.4.12 1.4.18 GHSA-qrx8-8545-4wg2 High
xstream 1.4.12 1.4.18 GHSA-h7v4-7xg3-hxcc High
xstream 1.4.12 1.4.18 GHSA-p8pq-r894-fm8f High
xstream 1.4.12 1.4.18 GHSA-8jrj-525p-826v High
xstream 1.4.12 1.4.18 GHSA-j9h8-phrw-h4fh High
xstream 1.4.12 1.4.18 GHSA-g5w6-mrj7-75h2 High
xstream 1.4.12 1.4.18 GHSA-64xx-cq4q-mf44 High
xstream 1.4.12 1.4.18 GHSA-cxfm-5m4g-x7xp High
xstream 1.4.12 1.4.18 GHSA-xw4p-crpj-vjx2 High
xstream 1.4.12 1.4.16 GHSA-2p3x-qw9c-25hh High
xstream 1.4.12 1.4.15 GHSA-4cch-wxpw-8p28 High
xstream 1.4.12 CVE-2020-26217 High
xstream 1.4.12 CVE-2020-26258 High
xstream 1.4.12 CVE-2021-21341 High
xstream 1.4.12 CVE-2021-21342 Critical
xstream 1.4.12 CVE-2021-21343 High
xstream 1.4.12 CVE-2021-21344 Critical
xstream 1.4.12 CVE-2021-21345 Critical
xstream 1.4.12 CVE-2021-21346 Critical
xstream 1.4.12 CVE-2021-21347 Critical
xstream 1.4.12 CVE-2021-21348 High
xstream 1.4.12 CVE-2021-21349 High
xstream 1.4.12 CVE-2021-21350 Critical
xstream 1.4.12 CVE-2021-21351 Critical
xstream 1.4.12 CVE-2021-29505 High
xstream 1.4.12 CVE-2021-39139 High
xstream 1.4.12 CVE-2021-39141 High
xstream 1.4.12 CVE-2021-39144 High
xstream 1.4.12 CVE-2021-39145 High
xstream 1.4.12 CVE-2021-39146 High
xstream 1.4.12 CVE-2021-39147 High
xstream 1.4.12 CVE-2021-39148 High
xstream 1.4.12 CVE-2021-39149 High
xstream 1.4.12 CVE-2021-39150 High
xstream 1.4.12 CVE-2021-39151 High
xstream 1.4.12 CVE-2021-39152 High
xstream 1.4.12 CVE-2021-39153 High
xstream 1.4.12 CVE-2021-39154 High

[Arodriguez81]

Same issue on my end. Are we planning any upgrade or workaround?

Summary
Eclipse Jetty is prone to a denial of service (DoS)
vulnerability.
Detection Result

Installed version: 9.4.21.20190926
Fixed version: 9.4.39
Installation
path / port: 443/tcp

Product Detection Result
Product

cpe:/a:eclipse:jetty:9.4.21.20190926
Method

MortBay / Eclipse Jetty Detection (HTTP) (OID: 1.3.6.1.4.1.25623.1.0.800953)
Log

View details of product detection
Detection Method
Checks if a vulnerable version is present on the target host.
Details:

Eclipse Jetty DoS Vulnerability (GHSA-26vr-8j45-3r4w) - Windows OID: 1.3.6.1.4.1.25623.1.0.117488
Version used:

2021-08-27T11:01:07Z
Affected Software/OS
Eclipse Jetty version 7.2.2 through 9.4.38, 10.0.0.alpha0
through 10.0.1 and 11.0.0.alpha0 through 11.0.1.
Impact
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or
WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is
incorrectly handled, causing CPU resources to eventually reach 100% usage.
Solution
Solution Type:
Vendorfix
Update to version 9.4.39, 10.0.2, 11.0.2 or later. See the
referenced vendor advisory for a possible mitigation.
References
CVE

CVE-2021-28165
CERT

DFN-CERT-2021-2152DFN-CERT-2021-2045DFN-CERT-2021-1780DFN-CERT-2021-1736DFN-CERT-2021-1728DFN-CERT-2021-1665DFN-CERT-2021-1475DFN-CERT-2021-1332DFN-CERT-2021-1103DFN-CERT-2021-0840DFN-CERT-2021-0832CB-K21/1094CB-K21/1093
Other

GHSA-26vr-8j45-3r4w

[pacmano1]

Please consider looking at the tags of the issue prior to posting. You can already see: