Jetty Vulnerability using Invalid Large TLS Frame causes 100% CPU Usage
This Jetty vulnerability is to be considered as a service availability issue. When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.Â
The following packages have been upgraded to a later upstream version: rh-eclipse-jetty (9.4.40).
Security Fixes:
- jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
- jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
- jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Type/Severity
Security Advisory: Moderate
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Developer Tools (for RHEL Workstation) 1 x86_64
- Red Hat Developer Tools (for RHEL Server) 1 x86_64
Fixes
- BZ – 1945710Â – CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
- BZ – 1945712Â – CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
- BZ – 1945714Â – CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
References
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.