Subscribe
Overview
Black Duck Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container. According the Eclipse Foundation’s website, “Jetty is used in a wide variety of projects and products, both in development and production. Jetty has long been loved by developers due to its long history of being easily embedded in devices, tools, frameworks, application servers, and modern cloud services.”
When Jetty handles a request containing an Accept header with a large number of quality factor parameters (the q values in an Accept header), the server may enter a denial of service state due to high CPU usage. Black Duck researchers believe this to be the result of a vulnerability found in the sort method of the org.eclipse.jetty.http.QuotedQualityCSV class:
for (int i = _values.size(); i-- > 0; )
{
String v = _values.get(i);
Double q = _quality.get(i);
int compare = last.compareTo(q);
if (compare > 0 || (compare == 0 && _secondaryOrdering.applyAsInt(v) <
lastSecondaryOrder))
{
_values.set(i, _values.get(i + 1));
_values.set(i + 1, v);
_quality.set(i, _quality.get(i + 1));
_quality.set(i + 1, q);
last = 0.0D;
lastSecondaryOrder = 0;
i = _values.size();
continue;
}
last = q;
lastSecondaryOrder = _secondaryOrdering.applyAsInt(v);
}
The only features within Jetty that can trigger this behavior are:
- Default Error Handling – the Accept request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
- StatisticsServlet – uses the Accept request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
- HttpServletRequest.getLocale() – uses the Accept-Language request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
- HttpservletRequest.getLocales() – is similar to the above but returns an ordered list of locales based on the quality values on the Accept-Language request header.
- DefaultServlet – uses the Accept-Encoding request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)
When the server encounters a request in which the number of sorted items are sufficiently large and the value of the values in an q parameter is sufficiently diverse, the sorting arrays cause a spike in CPU usage. Black Duck researchers have not observed memory leaks or crashes as a result of this behavior; however, the server may take minutes to process a single request whose size is in the tens of kilobytes range. Researchers observed an exponential relationship between the size of the request and the duration of CPU use.
Affected software
- Eclipse Jetty version 9.4.6.v20170531 through 9.4.36.v20210114
- Eclipse Jetty version 10.0.0
- Eclipse Jetty version 11.0.0
Impact
CVSS 3.1 score
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Score: 5.3 (Medium)
Exploitability metrics:
Attack vector (AV): N = Network
Attack complexity (AC): L = Low
Privileges required (PR): N = None
User interaction (UI): N = None
Scope (S): U = Unchanged
Impact metrics:
Confidentiality impact (C): N = None
Integrity impact (I): N = None
Availability impact (A): L = Low
Remediation
Software vendors and users of Jetty are strongly encouraged to upgrade to 9.4.38.v20210224, 10.0.1, or 11.0.1
Discovery credit
A team of researchers from Black Duck Cybersecurity Research Center in Oulu, Finland, discovered the issue using the Defensics® fuzz testing tool:
- Matti Varanka
- Tero Rontti
Black Duck would like to thank the Webtide team, the maintainers of Jetty, for their responsiveness and for addressing this matter in a timely manner.
Timeline
- January 5, 2021: Vulnerability discovered in Jetty
- February 10, 2021: Vulnerability disclosed to Webtide, the maintainers of Jetty
- February 11, 2021: Webtide confirms the Jetty vulnerability and assigns CVE-2020-27223
- February 22, 2021: Webtide publishes fix
- February 26, 2021: Vulnerability advisory for CVE-2020-27223 is published
Continue Reading
A new identity for the Synopsys Software Integrity Group
Aug 12, 2024 / 2 min read
CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service
Jun 04, 2024 / 1 min read
CyRC Vulnerability Advisory: CVE-2024-5185 Data Poisoning Vulnerability in EmbedAI Application
May 27, 2024 / 1 min read