close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: Denial of service vulnerability in Jetty web server

Synopsys Cybersecurity Research Center

Mar 01, 2021 / 2 min read

Table of Contents

Overview

Synopsys Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container. According the Eclipse Foundation’s website, “Jetty is used in a wide variety of projects and products, both in development and production. Jetty has long been loved by developers due to its long history of being easily embedded in devices, tools, frameworks, application servers, and modern cloud services.”

When Jetty handles a request containing an Accept header with a large number of quality factor parameters (the q values in an Accept header), the server may enter a denial of service state due to high CPU usage. Synopsys researchers believe this to be the result of a vulnerability found in the sort method of the org.eclipse.jetty.http.QuotedQualityCSV class:

for (int i = _values.size(); i-- > 0; )

{

      String v = _values.get(i);

      Double q = _quality.get(i);

 

      int compare = last.compareTo(q);

      if (compare > 0 || (compare == 0 && _secondaryOrdering.applyAsInt(v) < 

lastSecondaryOrder))

      {

             _values.set(i, _values.get(i + 1));

             _values.set(i + 1, v);

             _quality.set(i, _quality.get(i + 1));

             _quality.set(i + 1, q);

             last = 0.0D;

             lastSecondaryOrder = 0;

             i = _values.size();

             continue;

      }

      last = q;

      lastSecondaryOrder = _secondaryOrdering.applyAsInt(v);

}

The only features within Jetty that can trigger this behavior are:

  • Default Error Handling – the Accept request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
  • StatisticsServlet – uses the Accept request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
  • HttpServletRequest.getLocale() – uses the Accept-Language request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
  • HttpservletRequest.getLocales() – is similar to the above but returns an ordered list of locales based on the quality values on the Accept-Language request header.
  • DefaultServlet – uses the Accept-Encoding request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

When the server encounters a request in which the number of sorted items are sufficiently large and the value of the values in an q parameter is sufficiently diverse, the sorting arrays cause a spike in CPU usage. Synopsys researchers have not observed memory leaks or crashes as a result of this behavior; however, the server may take minutes to process a single request whose size is in the tens of kilobytes range. Researchers observed an exponential relationship between the size of the request and the duration of CPU use.

Affected software

  • Eclipse Jetty version 9.4.6.v20170531 through 9.4.36.v20210114
  • Eclipse Jetty version 10.0.0
  • Eclipse Jetty version 11.0.0

Impact

CVSS 3.1 score
Vector:  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Score: 5.3 (Medium)

Exploitability metrics:
Attack vector (AV): N = Network
Attack complexity (AC): L = Low
Privileges required (PR): N = None
User interaction (UI): N = None
Scope (S): U = Unchanged

Impact metrics:
Confidentiality impact (C): N = None
Integrity impact (I): N = None
Availability impact (A): L = Low

Remediation

Software vendors and users of Jetty are strongly encouraged to upgrade to 9.4.38.v20210224, 10.0.1, or 11.0.1

Discovery credit

A team of researchers from Synopsys Cybersecurity Research Center in Oulu, Finland, discovered the issue using the Defensics® fuzz testing tool:

  • Matti Varanka
  • Tero Rontti

Synopsys would like to thank the Webtide team, the maintainers of Jetty, for their responsiveness and for addressing this matter in a timely manner.

Timeline

  • January 5, 2021: Vulnerability discovered in Jetty
  • February 10, 2021: Vulnerability disclosed to Webtide, the maintainers of Jetty
  • February 11, 2021: Webtide confirms the Jetty vulnerability and assigns CVE-2020-27223
  • February 22, 2021: Webtide publishes fix
  • February 26, 2021: Vulnerability advisory for CVE-2020-27223 is published

Continue Reading

Top 10 free pen tester tools

Top 10 free pen tester tools

Natalie Lightner
By Natalie Lightner

Apr 11, 2024 / 5 min read

Tags: Software Integrity, Security News & Trends, Pen Testing, Web AppSec, Manage Security Risks
Introducing fAST Dynamic: Streamlining dynamic application security testing

Introducing fAST Dynamic: Streamlining dynamic application security testing

Vishrut Iyengar
By Vishrut Iyengar

Mar 19, 2024 / 3 min read

Tags: DAST, Software Integrity, Security News & Trends, Build Security into DevOps
CVE-2017-5638: The Apache Struts vulnerability explained

CVE-2017-5638: The Apache Struts vulnerability explained

Fred Bals
By Fred Bals

Mar 16, 2024 / 3 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security