[jetty-dev] Jetty Advisory - Multiple components subject to DoS attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Jetty Advisory - Multiple components subject to DoS attacks that can lead to OutOfMemoryError

From: Joakim Erdfelt <joakim.erdfelt@xxxxxxxxx>
Date: Mon, 14 Oct 2024 10:15:36 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Jetty is publishing multiple CVEs for components that are subjec to DoS attacks
that can lead to OutOfMemoryError failures on the server side.

* CVE-2024-8184 - ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
* CVE-2024-9823 - DOS vulnerability on DosFilter
* CVE-2024-6762 - PushSessionCacheFilter can cause remote DoS attacks

https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
Severity: Moderate (5.9 / 10)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2024-8184
Reporter/Credit: https://github.com/HRsGIT

There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()`
which can be exploited by unauthorized users to cause remote denial-of-service
(DoS) attack. By repeatedly sending crafted requests, attackers can trigger
OutofMemory errors and exhaust the server's memory.

Patched in Jetty 12.0.9, 11.0.24, 10.0.24, and 9.4.56
Workarounds:
Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.

https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
DOS vulnerability on DosFilter
Severity: Moderate (5.3 / 10)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2024-9823
Reporter/Credit: https://github.com/LianKee

There exists a security vulnerability in Jetty's DosFilter which can be
exploited by unauthorized users to cause remote denial-of-service (DoS)
attack on the server using DosFilter. By repeatedly sending crafted requests,
attackers can trigger OutofMemory errors and exhaust the server's memory finally.

Patched in 12.0.3, 11.0.18, 10.0.18, and 9.4.54
Workarounds:
The DoSFilter can be configured to not use sessions for tracking usage by
setting the `trackSessions` init parameter to false. This will then use only
the IP tracking mechanism, which is not vulnerable.
Sessions can also be configured to have aggressive passivation or inactivation limits.

https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
PushSessionCacheFilter can cause remote DoS attacks
Severity: Low (3.1 / 10)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
CVE-2024-6762
Reporter/Credit: https://github.com/LianKee

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to
launch remote DoS attacks by exhausting the server’s memory.

Patched in 12.0.4, 11.0.18, and 10.0.18.
Workarounds:
Do not using the `PushCacheFilter` or `PushSessionCacheFilter`.
HTTP Push has been deprecated by the various IETF specs and replaced
with the "103 Early Hints" response types instead (RFC8297).

Prev by Date: [jetty-dev] Release of Eclipse Jetty 12.0.14
Next by Date: [jetty-dev] Jetty Advisory - URI parsing of invalid authority
Previous by thread: [jetty-dev] Release of Eclipse Jetty 12.0.14
Next by thread: [jetty-dev] Jetty Advisory - URI parsing of invalid authority
Index(es):
- Date
- Thread

Breadcrumbs