DoS Vulnerability in Eclipse Jetty Calls for Urgent Updates

Written by Bill Toulas
Published on March 3, 2021

A team of researchers at the Synopsys Cybersecurity Research Center (CyRC) discovered a denial of service (DoS) vulnerability in Eclipse Jetty, a widely-used open-source web server and servlet container. Given the identifier CVE-2020-27223, the flaw lies in how Jetty handles a request containing multiple Accept headers with a large number of parameters.

This scenario would put the CPU into a state of processing numerous quality values, creating a DoS condition that can last for entire minutes each time.

Source: CyRC

These accept headers can be abused through Jetty’s default error handling, the statistics servlet, the HTTP servlet request fetcher, and the default servlet, so there are four individual features that offer an attack surface. The severity of the flaw is classified as “Medium,” but due to the extensive deployment of the product, it impacts a vast number of systems.

To get an idea, Jetty is used in products such as Apache ActiveMQ, Alfresco, Scalatra, Apache Geronimo, Apache Maven, Apache Spark, Google App Engine, Eclipse, FUSE, iDempiere, Twitter's Streaming API, Zimbra, Lift, Eucalyptus, OpenNMS, Red5, Hadoop, and I2P. It is widely valued as a varied application framework, but this is precisely where the need for advanced web protection services to cover it arises.

As NNT’s security expert Dirk Schrader told us:

A DoS vulnerability in Jetty is something close to a digital nightmare, due to it being widely used. Especially for embedded devices in Industrial Control, which are quite often not patchable, this can have severe consequences as availability is paramount in these environments. A Shodan search shows approximately 900,000 entries for ‘Jetty’, with a large majority being located in the US. Even if these devices are behind a firewall or in separated networks, this vulnerability provides cybercriminals with a new attack vector for extortion. Next to, or instead of, encrypting systems, they can initiate a DoS on devices with an embedded Jetty web server once a foothold is established.

The affected software versions are the following:

The CyRC researchers discovered the flaw on January 5, 2021, and the first confirmation of the reception of the report from its maintainer came a month later. Finally, a fix was published on February 22, 2021, which was pushed to versions 9.4.38.v20210224, 10.0.1, and 11.0.1. Thus, if you’re using anything earlier than that, you are advised to upgrade immediately.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: