Community
Participate
Working Groups
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. This impacts many users of Eclipse Jetty Server. Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: Do not use the default error page/handler. Do not deploy the StatisticsServlet exposed to the network. Do not call getLocale API. Do not enable pre-compressed static content in the DefaultServlet. Alternately, I rewrite rule can be deployed to limit the number and size of Accept-* fields in the header. CWEs CWE-407 CVSS Score 5.3 Moderate CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L We are currently working on patches for this and will let you know when they are available.
> We are currently working on patches for this and will let you know when they > are available. Do you want me to create and publish a CVE now, or wait until the patches are avialable?
If you have a CVE # available that would be great but I would wait to publish until we have an official set of releases that fix the issue.
CVE-2020-27223 Do not use this publicly until after we disclose.
We have releases prepared that fix this issue - 9.4.37.v20210219, 10.0.1, and 11.0.1 .
I'm ready to go when you are. I believe that you need me to push the button to submit the security advisory on GitHub. When you're ready for that, give me a link and a very direct statement saying that you want me to submit it.
Wayne, we've had a regression reported with 9.4.37, so we are just building a 9.4.38. We'd like to hold of the CVE until we have a good release to upgrade to. Jetty 10 and 11 were not affected, so it's just a 9.4 build we are waiting on. Should be another 24 hours
Wayne, We are good to go. Please publish the CVE and the Security Advisory on GitHub.
(In reply to Christopher Walker from comment #7) > Wayne, > > We are good to go. Please publish the CVE and the Security Advisory on > GitHub. While I'm confident in my ability to hunt down the security advisory, it will go a lot faster if you can provide a link :-)
Here ya go! https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
Done.
(In reply to Christopher Walker from comment #0) > In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 > when Jetty handles a request containing multiple Accept headers with a large > number of “quality” (i.e. q) parameters, the server may enter a denial of > service (DoS) state due to high CPU usage processing those quality values, > resulting in minutes of CPU time exhausted processing those quality values. > > This impacts many users of Eclipse Jetty Server. > > Workarounds > > Quality ordered values are used infrequently by jetty so they can be avoided > by: > > Do not use the default error page/handler. > Do not deploy the StatisticsServlet exposed to the network. > Do not call getLocale API. > Do not enable pre-compressed static content in the DefaultServlet. > > Alternately, I rewrite rule can be deployed to limit the number and size of > Accept-* fields in the header. > > CWEs > CWE-407 > > CVSS Score > 5.3 Moderate > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L > > > We are currently working on patches for this and will let you know when they > are available. Why is the CVSS score now 7.5? It's availability impact has changed from low to high: WAS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L NOW: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Jason, Good question? The availability is certainly not high as there is not a "total loss of availability". The server does not crash or lockup, and all requests continue to be handled, with just the attacking requests consuming more CPU from a single core per request. Wayne, Do you know where in the process the status was changed to High? The github advisory has it correctly as low (reduced performance). Is it possible to get this corrected as there has been a far bit of coverage of this issue that is perhaps over stating the impact.
Where is it showing as high? AFAICT, the advisory shows moderate and the CVSS score is as specified?
Wayne, NVD shows it as high. https://nvd.nist.gov/vuln/detail/CVE-2020-27223
My best guess is that the folks at NIST are calculating it themselves. I don't know the process that NIST follows to populate their data set from what's in the CVE database, but I'll investigate. In the meantime, I've updated the CVE to include the CVSS and I'll update my process to make sure that we include it from now on (my update is under review by the Mitre folks). I'm hopeful that the NIST process will pick up the change and we'll be off to the races.
The update was accepted and is now reflected on by both Mitre and NIST. The old score is still there on NIST, however. It looks somewhere in the chain of events that took the report from Mitre to NIST, CWE 400 was also added. My assumption is that this is related. The page does say: > This vulnerability has been modified since it was last analyzed by the NVD. > It is awaiting reanalysis which may result in further changes to the > information provided. I'll try to sort out where this extra analysis was added and whether not not we'll need to start dealing directly with NIST.
Hi, Would like to know whether this CVE is applicable for deprecated version 9.2. Currently we are using Jetty 9.2.25. Our product supports Java 1.7. Due to this limitation we didn't planned for upgrade. Can you please confirm, if CVE's are tracked for deprecated versions? If so, Is this CVE applicable for Jetty 9.2.25 version?
(In reply to Sandeeph Ramdass from comment #17) > Hi, > > Would like to know whether this CVE is applicable for deprecated version 9.2. > Currently we are using Jetty 9.2.25. > > Our product supports Java 1.7. Due to this limitation we didn't planned for > upgrade. > > Can you please confirm, if CVE's are tracked for deprecated versions? If so, > Is this CVE applicable for Jetty 9.2.25 version? From https://www.eclipse.org/lists/jetty-announce/msg00151.html We understood that, Issue is with QuotedQualityCSV, which was introduced in above versions of Jetty 9.2.25. Hope that clears my query..
No, the 9.2.x branch was not affected by this. The functionality itself was not introduced until 9.3.8 and was only discovered as vulnerable in 9.4.6.
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/564.