[jetty-announce] Eclipse Jetty DOS vulnerability for Quoted Quality CSV

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-announce] Eclipse Jetty DOS vulnerability for Quoted Quality CSV headers

From: Chris Walker <chris@xxxxxxxxxxx>
Date: Fri, 26 Feb 2021 15:52:07 -0600
Delivered-to: jetty-announce@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-announce/>
List-help: <mailto:jetty-announce-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=unsubscribe>

Hello!

The Eclipse Jetty team wanted to make the community aware of a vulnerability discovered in recent versions of Jetty. This was given a CVE identifier of CVE-2020-27223.

Impact

When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.

The only features within Jetty that can trigger this behavior are:

Default Error Handling - the `Accept` request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)

StatisticsServlet - uses the `Accept` request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)

HttpServletRequest.getLocale() - uses the `Accept-Language` request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.

HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.

DefaultServlet - uses the `Accept-Encoding` request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

Versions

QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include:

9.4.6.v20170531 thru to 9.4.36.v20210114
10.0.0
11.0.0

Workarounds

Quality ordered values are used infrequently by Jetty so they can be avoided:

Do not use the default error page/handler.
Do not deploy the StatisticsServlet exposed to the network
Do not call the getLocale or getLocales APIs
Do not include pre-compressed static content for the DefaultServlet to make the determination on

Alternately, a rewrite rule can be deployed to limit the number and size of Accept-* fields in the header.

Patches

All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php

9.4.37 and greater
10.0.1 and greater
11.0.1 and greater

Thank you,

The Eclipse Jetty Team

Prev by Date: [jetty-announce] Eclipse Jetty 9.4.36 Has Been Released!
Next by Date: [jetty-announce] Eclipse Jetty 9.4.38, 10.0.1, and 11.0.1 Have Been Released!
Previous by thread: [jetty-announce] Eclipse Jetty 9.4.36 Has Been Released!
Next by thread: [jetty-announce] Eclipse Jetty 9.4.38, 10.0.1, and 11.0.1 Have Been Released!
Index(es):
- Date
- Thread

Breadcrumbs

Impact

Versions

Workarounds