|[jetty-dev] Eclipse Jetty DOS vulnerability for Quoted Quality CSV headers|
The Eclipse Jetty team wanted to make the community aware of a vulnerability discovered in recent versions of Jetty. This was given a CVE identifier of CVE-2020-27223.
When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.
The only features within Jetty that can trigger this behavior are:
Default Error Handling - the `Accept` request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
StatisticsServlet - uses the `Accept` request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
HttpServletRequest.getLocale() - uses the `Accept-Language` request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.
DefaultServlet - uses the `Accept-Encoding` request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)
QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include:
9.4.6.v20170531 thru to 9.4.36.v20210114
Quality ordered values are used infrequently by Jetty so they can be avoided:
Do not use the default error page/handler.
Do not deploy the StatisticsServlet exposed to the network
Do not call the getLocale or getLocales APIs
Do not include pre-compressed static content for the DefaultServlet to make the determination on
Alternately, a rewrite rule can be deployed to limit the number and size of Accept-* fields in the header.
9.4.37 and greater
10.0.1 and greater
Back to the top