This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 571128 (CVE-2020-27223) - Jetty DOS vulnerability for Quoted Quality CSV headers
Summary: Jetty DOS vulnerability for Quoted Quality CSV headers
Status: CLOSED MOVED
Alias: CVE-2020-27223
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-11 10:02 EST by Christopher Walker CLA
Modified: 2023-03-08 03:23 EST (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Walker CLA 2021-02-11 10:02:59 EST
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

This impacts many users of Eclipse Jetty Server.

Workarounds

Quality ordered values are used infrequently by jetty so they can be avoided by:

Do not use the default error page/handler.
Do not deploy the StatisticsServlet exposed to the network.
Do not call getLocale API.
Do not enable pre-compressed static content in the DefaultServlet.

Alternately, I rewrite rule can be deployed to limit the number and size of Accept-* fields in the header.

CWEs
CWE-407

CVSS Score
5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L


We are currently working on patches for this and will let you know when they are available.
Comment 1 Wayne Beaton CLA 2021-02-11 12:12:13 EST
> We are currently working on patches for this and will let you know when they
> are available.

Do you want me to create and publish a CVE now, or wait until the patches are avialable?
Comment 2 Christopher Walker CLA 2021-02-11 12:17:44 EST
If you have a CVE # available that would be great but I would wait to publish until we have an official set of releases that fix the issue.
Comment 3 Wayne Beaton CLA 2021-02-11 17:17:06 EST
CVE-2020-27223

Do not use this publicly until after we disclose.
Comment 4 Christopher Walker CLA 2021-02-22 12:57:25 EST
We have releases prepared that fix this issue - 9.4.37.v20210219, 10.0.1, and 11.0.1 .
Comment 5 Wayne Beaton CLA 2021-02-23 21:07:47 EST
I'm ready to go when you are.

I believe that you need me to push the button to submit the security advisory on GitHub. When you're ready for that, give me a link and a very direct statement saying that you want me to submit it.
Comment 6 Greg Wilkins CLA 2021-02-24 06:35:54 EST
Wayne, we've had a regression reported with 9.4.37, so we are just building a 9.4.38.  We'd like to hold of the CVE until we have a good release to upgrade to.
Jetty 10 and 11 were not affected, so it's just a 9.4 build we are waiting on.  Should be another 24 hours
Comment 7 Christopher Walker CLA 2021-02-26 15:53:53 EST
Wayne,

We are good to go. Please publish the CVE and the Security Advisory on GitHub.
Comment 8 Wayne Beaton CLA 2021-02-26 16:25:45 EST
(In reply to Christopher Walker from comment #7)
> Wayne,
> 
> We are good to go. Please publish the CVE and the Security Advisory on
> GitHub.

While I'm confident in my ability to hunt down the security advisory, it will go a lot faster if you can provide a link :-)
Comment 10 Wayne Beaton CLA 2021-02-26 16:45:03 EST
Done.
Comment 11 Jason Culligan CLA 2021-03-09 12:14:17 EST
(In reply to Christopher Walker from comment #0)
> In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0
> when Jetty handles a request containing multiple Accept headers with a large
> number of “quality” (i.e. q) parameters, the server may enter a denial of
> service (DoS) state due to high CPU usage processing those quality values,
> resulting in minutes of CPU time exhausted processing those quality values.
> 
> This impacts many users of Eclipse Jetty Server.
> 
> Workarounds
> 
> Quality ordered values are used infrequently by jetty so they can be avoided
> by:
> 
> Do not use the default error page/handler.
> Do not deploy the StatisticsServlet exposed to the network.
> Do not call getLocale API.
> Do not enable pre-compressed static content in the DefaultServlet.
> 
> Alternately, I rewrite rule can be deployed to limit the number and size of
> Accept-* fields in the header.
> 
> CWEs
> CWE-407
> 
> CVSS Score
> 5.3 Moderate
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> 
> 
> We are currently working on patches for this and will let you know when they
> are available.

Why is the CVSS score now 7.5?  It's availability impact has changed from low to high:
WAS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
NOW: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Comment 12 Greg Wilkins CLA 2021-03-10 01:48:39 EST
Jason,

Good question?  The availability is certainly not high as there is not a "total loss of availability".   The server does not crash or lockup, and all requests continue to be handled, with just the attacking requests consuming more CPU from a single core per request.


Wayne,

Do  you know where in the process the status was changed to High?  The github advisory has it correctly as low (reduced performance).     Is it possible to get this corrected as there has been a far bit of coverage of this issue that is perhaps over stating the impact.
Comment 13 Wayne Beaton CLA 2021-03-11 16:15:30 EST
Where is it showing as high?

AFAICT, the advisory shows moderate and the CVSS score is as specified?
Comment 14 Christopher Walker CLA 2021-03-11 16:45:02 EST
Wayne, NVD shows it as high.

https://nvd.nist.gov/vuln/detail/CVE-2020-27223
Comment 15 Wayne Beaton CLA 2021-03-11 17:18:51 EST
My best guess is that the folks at NIST are calculating it themselves. I don't know the process that NIST follows to populate their data set from what's in the CVE database, but I'll investigate.

In the meantime, I've updated the CVE to include the CVSS and I'll update my process to make sure that we include it from now on (my update is under review by the Mitre folks). I'm hopeful that the NIST process will pick up the change and we'll be off to the races.
Comment 16 Wayne Beaton CLA 2021-03-12 11:38:18 EST
The update was accepted and is now reflected on by both Mitre and NIST. The old score is still there on NIST, however. It looks somewhere in the chain of events that took the report from Mitre to NIST, CWE 400 was also added. My assumption is that this is related.

The page does say:

> This vulnerability has been modified since it was last analyzed by the NVD. 
> It is awaiting reanalysis which may result in further changes to the 
> information provided.

I'll try to sort out where this extra analysis was added and whether not not we'll need to start dealing directly with NIST.
Comment 17 Sandeeph Ramdass CLA 2021-03-16 03:40:44 EDT
Hi,

Would like to know whether this CVE is applicable for deprecated version 9.2.
Currently we are using Jetty 9.2.25.

Our product supports Java 1.7. Due to this limitation we didn't planned for upgrade.

Can you please confirm, if CVE's are tracked for deprecated versions? If so, Is this CVE applicable for Jetty 9.2.25 version?
Comment 18 Sandeeph Ramdass CLA 2021-03-16 09:06:51 EDT
(In reply to Sandeeph Ramdass from comment #17)
> Hi,
> 
> Would like to know whether this CVE is applicable for deprecated version 9.2.
> Currently we are using Jetty 9.2.25.
> 
> Our product supports Java 1.7. Due to this limitation we didn't planned for
> upgrade.
> 
> Can you please confirm, if CVE's are tracked for deprecated versions? If so,
> Is this CVE applicable for Jetty 9.2.25 version?


From https://www.eclipse.org/lists/jetty-announce/msg00151.html

We understood that, Issue is with QuotedQualityCSV, which was introduced in above versions of Jetty 9.2.25.

Hope that clears my query..
Comment 19 Christopher Walker CLA 2021-03-16 12:03:14 EDT
No, the 9.2.x branch was not affected by this. The functionality itself was not introduced until 9.3.8 and was only discovered as vulnerable in 9.4.6.
Comment 20 Frederic Gurr CLA 2021-12-23 06:47:05 EST
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/564.