Jetty Vulnerability using Invalid Large TLS Frame causes 100% CPU Usage

This Jetty vulnerability is to be considered as a service availability issue. When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. 

The following packages have been upgraded to a later upstream version: rh-eclipse-jetty (9.4.40).

Security Fixes:

  • jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
  • jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
  • jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Type/Severity

Security Advisory: Moderate

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Developer Tools (for RHEL Workstation) 1 x86_64
  • Red Hat Developer Tools (for RHEL Server) 1 x86_64

Fixes

  • BZ – 1945710 – CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
  • BZ – 1945712 – CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
  • BZ – 1945714 – CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.