QID 980387

QID 980387: Java (maven) Security Update for org.eclipse.jetty:jetty-server (GHSA-m394-8rww-3jr7)

Security update has been released for org.eclipse.jetty:jetty-server to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

When Jetty handles a request containing request headers with a large number of quality (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.

The only features within Jetty that can trigger this behavior are:

- Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
- `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc)
- `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which preferred language is returned on this call.
- `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.
- `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

CVSS V3 rated as Medium - 5.3 severity.

CVSS V2 rated as Medium - 4.3 severity.

Solution

All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php)
- 9.4.37.v20210219 and greater
- 10.0.1 and greater
- 11.0.1 and greaterWorkaround:
Quality ordered values are used infrequently by jetty so they can be avoided by:

* Do not use the default error page/handler.
* Do not deploy the `StatisticsServlet` exposed to the network
* Do not call `getLocale` API
* Do not enable precompressed static content in the `DefaultServlet`

Vendor References

GHSA-m394-8rww-3jr7 - github.com/advisories/GHSA-m394-8rww-3jr7

CVEs related to QID 980387

CVE-2020-27223 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-m394-8rww-3jr7	org.eclipse.jetty:jetty-server		github.com/advisories/GHSA-m394-8rww-3jr7

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].