Lucene search

K
githubGitHub Advisory DatabaseGHSA-M394-8RWW-3JR7
HistoryMar 10, 2021 - 3:46 a.m.

DOS vulnerability for Quoted Quality CSV headers

2021-03-1003:46:47
CWE-400
GitHub Advisory Database
github.com
56

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

90.8%

Impact

When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.

The only features within Jetty that can trigger this behavior are:

  • Default Error Handling - the Accept request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
  • StatisticsServlet - uses the Accept request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
  • HttpServletRequest.getLocale() - uses the Accept-Language request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
  • HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the Accept-Language request header.
  • DefaultServlet - uses the Accept-Encoding request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

Versions

QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531.

Currently, known vulnerable versions include:

  • 9.4.6.v20170531 thru to 9.4.36.v20210114
  • 10.0.0
  • 11.0.0

Workarounds

Quality ordered values are used infrequently by jetty so they can be avoided by:

  • Do not use the default error page/handler.
  • Do not deploy the StatisticsServlet exposed to the network
  • Do not call getLocale API
  • Do not enable precompressed static content in the DefaultServlet

Patches

All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php

  • 9.4.37.v20210219 and greater
  • 10.0.1 and greater
  • 11.0.1 and greater

References

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

90.8%

Related for GHSA-M394-8RWW-3JR7