[Bug 571128] Jetty DOS vulnerability for Quoted Quality CSV headers
| Bugzilla Link | 571128 |
| Status | NEW |
| Importance | P3 normal |
| Reported | Feb 11, 2021 10:02 EDT |
| Modified | Mar 16, 2021 12:03 EDT |
Description
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
This impacts many users of Eclipse Jetty Server.
Workarounds
Quality ordered values are used infrequently by jetty so they can be avoided by:
Do not use the default error page/handler.
Do not deploy the StatisticsServlet exposed to the network.
Do not call getLocale API.
Do not enable pre-compressed static content in the DefaultServlet.
Alternately, I rewrite rule can be deployed to limit the number and size of Accept-* fields in the header.
CWEs
CWE-407
CVSS Score
5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
We are currently working on patches for this and will let you know when they are available.