Hello!
The Eclipse Jetty team wanted to make the community aware of a vulnerability discovered in recent versions of Jetty. This was given a CVE identifier of CVE-2020-27223. Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: Default Error Handling - the `Accept` request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc) StatisticsServlet - uses the `Accept` request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc) HttpServletRequest.getLocale() - uses the `Accept-Language` request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call. HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. DefaultServlet - uses the `Accept-Encoding` request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) Versions QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 Workarounds Quality ordered values are used infrequently by Jetty so they can be avoided: - Do not use the default error page/handler. - Do not deploy the StatisticsServlet exposed to the network - Do not call the getLocale or getLocales APIs - Do not include pre-compressed static content for the DefaultServlet to make the determination on Alternately, a rewrite rule can be deployed to limit the number and size of Accept-* fields in the header. Patches All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php - 9.4.37 and greater - 10.0.1 and greater - 11.0.1 and greater Thank you, The Eclipse Jetty Team
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
