[jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

Wed, 14 Apr 2021 04:00:10 -0700 

WCM RnD created SOLR-15338:
------------------------------

             Summary: High security vulnerability in Jetty library 
CVE-2021-28163 (+5) bundled within Solr
                 Key: SOLR-15338
                 URL: https://issues.apache.org/jira/browse/SOLR-15338
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 8.8.1
            Reporter: WCM RnD


High security vulnerability ahs been reported in the Jetty jar bundled within 
Solr:
h2. BDSA-2021-0848

*Vulnerability Details in BlackDuck:* see 
[BDSA-2021-0848|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0848]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-04-02 06:29 EDT
*Vulnerability Updated:* 2021-04-02 06:29 EDT
*CVSS Score:* 6.7 (overall), {color:#FF0000}7.5{color} (base)

*Summary*: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid 
TLS frames. An attacker could exploit this by sending a TLS frame with a size 
in excess of 17408 resulting in excessive resource consumption leading to a DoS 
condition.

*Solution*: Fixed in 
[*10.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.2] 
and 
[*11.0.2*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.2] 
by 
[this|https://github.com/eclipse/jetty.project/commit/be22761a20a1685365c8e0356bf09b47e574cfd9]
 and 
[this|https://github.com/eclipse/jetty.project/commit/039c7386d0f3087d7c8aa19ea6001b24c95b9f16]
 commit. Fixed in 
[*9.4.39.v20210325*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
 by 
[this|https://github.com/eclipse/jetty.project/commit/00d379c94ba865dced2025c2d1bc3e2e0e41e880]
 and 
[this|https://github.com/eclipse/jetty.project/commit/294b2ba02b667548617a94cd99592110ac230add]
 commit.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to