DoS Vulnerability in Eclipse Jetty Calls for Urgent Updates

  • Eclipse Jetty was found to be vulnerable to a denial of service exploit of medium severity.
  • A fix is already out, so those deploying Jetty are urged to upgrade immediately.
  • Jetty is very widely used, so the flaw potentially affects a large number of endpoints.

A team of researchers at the Synopsys Cybersecurity Research Center (CyRC) discovered a denial of service (DoS) vulnerability in Eclipse Jetty, a widely-used open-source web server and servlet container. Given the identifier CVE-2020-27223, the flaw lies in how Jetty handles a request containing multiple Accept headers with a large number of parameters.

This scenario would put the CPU into a state of processing numerous quality values, creating a DoS condition that can last for entire minutes each time.

Source: CyRC

These accept headers can be abused through Jetty’s default error handling, the statistics servlet, the HTTP servlet request fetcher, and the default servlet, so there are four individual features that offer an attack surface. The severity of the flaw is classified as “Medium,” but due to the extensive deployment of the product, it impacts a vast number of systems.

To get an idea, Jetty is used in products such as Apache ActiveMQ, Alfresco, Scalatra, Apache Geronimo, Apache Maven, Apache Spark, Google App Engine, Eclipse, FUSE, iDempiere, Twitter's Streaming API, Zimbra, Lift, Eucalyptus, OpenNMS, Red5, Hadoop, and I2P. It is widely valued as a varied application framework, but this is precisely where the need for advanced web protection services to cover it arises.

As NNT’s security expert Dirk Schrader told us:

A DoS vulnerability in Jetty is something close to a digital nightmare, due to it being widely used. Especially for embedded devices in Industrial Control, which are quite often not patchable, this can have severe consequences as availability is paramount in these environments. A Shodan search shows approximately 900,000 entries for ‘Jetty’, with a large majority being located in the US. Even if these devices are behind a firewall or in separated networks, this vulnerability provides cybercriminals with a new attack vector for extortion. Next to, or instead of, encrypting systems, they can initiate a DoS on devices with an embedded Jetty web server once a foothold is established.

The affected software versions are the following:

  • Eclipse Jetty version 9.4.6.v20170531 through 9.4.36.v20210114
  • Eclipse Jetty version 10.0.0
  • Eclipse Jetty version 11.0.0

The CyRC researchers discovered the flaw on January 5, 2021, and the first confirmation of the reception of the report from its maintainer came a month later. Finally, a fix was published on February 22, 2021, which was pushed to versions 9.4.38.v20210224, 10.0.1, and 11.0.1. Thus, if you’re using anything earlier than that, you are advised to upgrade immediately.

How to Watch My Big Fat Fabulous Life Season 10 Online From Anywhere
Missing the Thores? A new season of the reality TV show is coming to your screens soon, and we have all the...
How to Watch ‘The Fringe, Fame, and Me’ Online From Anywhere for FREE
The Fringe, Fame, and Me is a new documentary on the history of the Fringe Festival as it marks its 75th anniversary,...
How to Watch Love & Hip Hop: Atlanta Season 10B Online From Anywhere
The show that presents aspiring rap stars juggling their professional and personal lives is back with new episodes, and you will be...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari