Hello,
The Eclipse Jetty team wanted to make the community aware of three recent CVEs that were discovered in the Jetty project. All three have been patched in the most recent releases of Jetty. Details concerning each CVE, as well as workarounds, are below.
CVE-2021-28165 - Invalid Large TLS Frame causes 100% Usage
Affected Jetty Versions7.2.2-9.4.38, 10.0.0.alpha0-10.0.1, 11.0.0.alpha0-11.0.1
ImpactWhen using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.
Patched Jetty Versions9.4.39, 10.0.2, 11.0.2
WorkaroundsPlease see the
Security Advisory for the workaround to this issue.
CVE ID
CVE-2021-28165
CWE
CWE-400
CVSS Score
7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-28164 - Ambiguous paths can access WEB-INF
Affected Jetty Versions
9.4.37 - 9.4.38
Impact
Since 9.4.37, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example, a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Patched Jetty Versions
9.4.39
Workarounds
The HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating start.d/http.ini to include:
CVE ID
CVE-2021-28164
CWEs
CWE-200, CWE-551
CVSS Score
5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-28163 - Symlink Directory Exposes Webapp Directory Contents
Affected Jetty Versions
9.4.32-9.4.38, 10.0.0.beta2-10.0.1, 11.0.0.beta2-11.0.1
Impact
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.
For example, the problem manifests in the following ${jetty.base}:
Patched Jetty Versions
9.4.39, 10.0.2, 11.0.2
Workarounds
Do not use a symlink for the webapps directory.
CVE ID
CVE-2021-28163
CWE
CWE-200
CVSS Score
2.7 Low
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Commercial production and development support for Jetty is offered through Webtide (www.webtide.com). Please contact us for more information or email chris@xxxxxxxxxxx to discuss your specific needs.
Best Regards,
The Jetty Development Team