Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] HTTP/2 Vulnerabilities and Eclipse Jetty Releases
The Jetty team is announcing the immediate availability of new releases for the Eclipse Jetty 9.4.x, 10.0.x, 11.0.x, and 12.0.x branches.

These releases include a number of bug fixes and improvements, along with addressing 2 HTTP/2 advisories.

Note: The Jetty 9.4.53 release was sponsored by a commercial support contract with webtide.com

See the github release pages for changelog.

 * https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
 * https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.17
 * https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.17
 * https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.2

The Security Advisories being published today are:

HTTP/2 DDoS Vector
  CVE: CVE-2023-44487 - (Industry / Spec level CVE, not Jetty specific)
  Severity: High (7.5)
  Impacted Versions:
    org.eclipse.jetty.http2:http2-common  >= 9.3.0, <= 9.4.52
    org.eclipse.jetty.http2:http2-common  >= 10.0.0, <= 10.0.16
    org.eclipse.jetty.http2:http2-common  >= 11.0.0, <= 11.0.16
    org.eclipse.jetty.http2:http2-server  >= 9.3.0, <= 9.4.52
    org.eclipse.jetty.http2:http2-server  >= 10.0.0, <= 10.0.16
    org.eclipse.jetty.http2:http2-server  >= 11.0.0, <= 11.0.16
    org.eclipse.jetty.http2:jetty-http2-common  >= 12.0.0, <= 12.0.1
    org.eclipse.jetty.http2:jetty-http2-server  >= 12.0.0, <= 12.0.1
  Fixed Versions:
    9.4.53
    10.0.17
    11.0.17
    12.0.2


HTTP/2 HPACK integer overflow and buffer allocation
  CVE: CVE-2023-36478
  Advisory: https://github.com/advisories/GHSA-wgh7-54f2-x98r
  Severity: High (7.5) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  Weakness:
    CWE-190 - Integer Overflow or Wraparound
    CWE-400 - Uncontrolled Resource Consumption
  Impacted Versions:
    org.eclipse.jetty:jetty-http  >= 9.3.0, <= 9.4.52
    org.eclipse.jetty:jetty-http  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty:jetty-http  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty.http2:http2-hpack  >= 9.3.0, <= 9.4.52
    org.eclipse.jetty.http2:http2-hpack  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty.http2:http2-hpack  >= 11.0.0, <= 11.0.15
    org.eclipse.jetty.http3:http3-qpack  >= 10.0.0, <= 10.0.15
    org.eclipse.jetty.http3:http3-qpack  >= 11.0.0, <= 11.0.15
  Fixed Versions:
    9.4.53
    10.0.16
    11.0.16
  Unaffected Versions:
    12.0.x


These releases are available on the Eclipse Jetty project download page or from the Maven Central repository:

 * Eclipse: https://eclipse.dev/jetty/download.php
 * Maven Central: https://repo1.maven.org/maven2/org/eclipse/jetty/
 
Documentation for these releases can be found on the Eclipse Jetty project site:

 * https://eclipse.dev/jetty/documentation.php

If you find any issues with these releases, or if you want to suggest future enhancements, please file an issue on the Jetty GitHub page:

 * https://github.com/eclipse/jetty.project/issues/new

Commercial production and development support for Jetty is offered through Webtide (webtide.com).
Please contact us for more information or email jesse@xxxxxxxxxxx to discuss your specific needs.

Best Regards,
The Jetty Development Team

Back to the top