Software Integrity Blog

 

CyRC Vulnerability Advisory: Denial of service vulnerability in Jetty web server

CVE-2020-27223 is a denial of service vulnerability discovered in the Eclipse Foundation’s popular Jetty web server.

CVE-2020-27223 jetty web server | Synopsys

Overview

Synopsys Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container. According the Eclipse Foundation’s website, “Jetty is used in a wide variety of projects and products, both in development and production. Jetty has long been loved by developers due to its long history of being easily embedded in devices, tools, frameworks, application servers, and modern cloud services.”

When Jetty handles a request containing an Accept header with a large number of quality factor parameters (the q values in an Accept header), the server may enter a denial of service state due to high CPU usage. Synopsys researchers believe this to be the result of a vulnerability found in the sort method of the org.eclipse.jetty.http.QuotedQualityCSV class:

for (int i = _values.size(); i-- > 0; )
{
      String v = _values.get(i);
      Double q = _quality.get(i);

      int compare = last.compareTo(q);
      if (compare > 0 || (compare == 0 && _secondaryOrdering.applyAsInt(v) < 
lastSecondaryOrder))
      {
             _values.set(i, _values.get(i + 1));
             _values.set(i + 1, v);
             _quality.set(i, _quality.get(i + 1));
             _quality.set(i + 1, q);
             last = 0.0D;
             lastSecondaryOrder = 0;
             i = _values.size();
             continue;
      }
      last = q;
      lastSecondaryOrder = _secondaryOrdering.applyAsInt(v);
}

The only features within Jetty that can trigger this behavior are:

  • Default Error Handling – the `Accept` request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
  • StatisticsServlet – uses the `Accept` request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
  • HttpServletRequest.getLocale() – uses the `Accept-Language` request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
  • HttpservletRequest.getLocales() – is similar to the above but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.
  • DefaultServlet – uses the `Accept-Encoding` request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

When the server encounters a request in which the number of sorted items are sufficiently large and the value of the values in an q parameter is sufficiently diverse, the sorting arrays cause a spike in CPU usage. Synopsys researchers have not observed memory leaks or crashes as a result of this behavior; however, the server may take minutes to process a single request whose size is in the tens of kilobytes range. Researchers observed an exponential relationship between the size of the request and the duration of CPU use.

Affected software

  • Eclipse Jetty version 9.4.6.v20170531 through 9.4.36.v20210114
  • Eclipse Jetty version 10.0.0
  • Eclipse Jetty version 11.0.0

Impact

CVSS 3.1 score
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Score: 5.3 (Medium)

Exploitability metrics:
Attack vector (AV): N = Network
Attack complexity (AC): L = Low
Privileges required (PR): N = None
User interaction (UI): N = None
Scope (S): U = Unchanged

Impact metrics:
Confidentiality impact (C): N = None
Integrity impact (I): N = None
Availability impact (A): L = Low

Remediation

Software vendors and users of Jetty are strongly encouraged to upgrade to 9.4.38.v20210224, 10.0.1, or 11.0.1

Discovery credit

A team of researchers from Synopsys Cybersecurity Research Center in Oulu, Finland, discovered the issue using the Defensics® fuzz testing tool:

  • Matti Varanka
  • Tero Rontti

Synopsys would like to thank the Webtide team, the maintainers of Jetty, for their responsiveness and for addressing this matter in a timely manner.

Timeline

  • January 5, 2021: Vulnerability discovered in Jetty
  • February 10, 2021: Vulnerability disclosed to Webtide, the maintainers of Jetty
  • February 11, 2021: Webtide confirms the Jetty vulnerability and assigns CVE-2020-27223
  • February 22, 2021: Webtide publishes fix
  • February 26, 2021: Vulnerability advisory for CVE-2020-27223 is published
 

More by this author