GHSA-26vr-8j45-3r4w

Suggest an improvement
Source
https://github.com/advisories/GHSA-26vr-8j45-3r4w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-26vr-8j45-3r4w
Aliases
Published
2021-04-06T17:31:30Z
Modified
2024-03-11T05:36:57.484846Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources
Details

Impact

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.

Workarounds

The problem can be worked around by compiling the following class:

package org.eclipse.jetty.server.ssl.fix6072;

import java.nio.ByteBuffer;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;

import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.BufferUtil;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.ssl.SslContextFactory;

public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory
{
    public SpaceCheckingSslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol)
    {
        super(factory, nextProtocol);
    }

    @Override
    protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)
    {
        return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())
        {
            @Override
            protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
            {
                SSLEngineResult results = super.unwrap(sslEngine, input, output);

                if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||
                    results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
                    BufferUtil.space(input) == 0)
                {
                    BufferUtil.clear(input);
                    throw new SSLHandshakeException("Encrypted buffer max length exceeded");
                }
                return results;
            }
        };
    }
}

This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file ${jetty.home}/modules/ssl.mod to ${jetty.base}/modules + Edit the ${jetty.base}/modules/ssl.mod file to have the following section:

[lib]
lib/sslfix6072.jar
  • Copy the file ${jetty.home}/etc/jetty-https.xml and${jetty.home}/etc/jetty-http2.xml to ${jetty.base}/etc
  • Edit files ${jetty.base}/etc/jetty-https.xml and ${jetty.base}/etc/jetty-http2.xml, changing any reference of org.eclipse.jetty.server.SslConnectionFactory to org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory. For example:
      <Call name="addIfAbsentConnectionFactory">
        <Arg>
          <New class="org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory">
            <Arg name="next">http/1.1</Arg>
            <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
          </New>
        </Arg>
      </Call>
    
  • Restart Jetty
Database specific
{
    "nvd_published_at": "2021-04-01T15:15:00Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-551",
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T23:02:13Z"
}
References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.2
Fixed
9.4.39

Affected versions

7.*

7.2.2.v20101205
7.3.0.v20110203
7.3.1.v20110307
7.4.0.RC0
7.4.0.v20110414
7.4.1.v20110513
7.4.2.v20110526
7.4.3.v20110701
7.4.4.v20110707
7.4.5.v20110725
7.5.0.RC0
7.5.0.RC1
7.5.0.RC2
7.5.0.v20110901
7.5.1.v20110908
7.5.2.v20111006
7.5.3.v20111011
7.5.4.v20111024
7.6.0.RC0
7.6.0.RC1
7.6.0.RC2
7.6.0.RC3
7.6.0.RC4
7.6.0.RC5
7.6.0.v20120127
7.6.1.v20120215
7.6.2.v20120308
7.6.3.v20120416
7.6.4.v20120524
7.6.5.v20120716
7.6.6.v20120903
7.6.7.v20120910
7.6.8.v20121106
7.6.9.v20130131
7.6.10.v20130312
7.6.11.v20130520
7.6.12.v20130726
7.6.13.v20130916
7.6.14.v20131031
7.6.15.v20140411
7.6.16.v20140903
7.6.17.v20150415
7.6.18.v20150929
7.6.19.v20160209
7.6.20.v20160902
7.6.21.v20160908

8.*

8.0.0.M0
8.0.0.M1
8.0.0.M2
8.0.0.M3
8.0.0.RC0
8.0.0.v20110901
8.0.1.v20110908
8.0.2.v20111006
8.0.3.v20111011
8.0.4.v20111024
8.1.0.RC0
8.1.0.RC1
8.1.0.RC2
8.1.0.RC4
8.1.0.RC5
8.1.0.v20120127
8.1.1.v20120215
8.1.2.v20120308
8.1.3.v20120416
8.1.4.v20120524
8.1.5.v20120716
8.1.6.v20120903
8.1.7.v20120910
8.1.8.v20121106
8.1.9.v20130131
8.1.10.v20130312
8.1.11.v20130520
8.1.12.v20130726
8.1.13.v20130916
8.1.14.v20131031
8.1.15.v20140411
8.1.16.v20140903
8.1.17.v20150415
8.1.18.v20150929
8.1.19.v20160209
8.1.20.v20160902
8.1.21.v20160908
8.1.22.v20160922
8.2.0.v20160908

9.*

9.0.0.M0
9.0.0.M1
9.0.0.M2
9.0.0.M3
9.0.0.M4
9.0.0.M5
9.0.0.RC0
9.0.0.RC1
9.0.0.RC2
9.0.0.v20130308
9.0.1.v20130408
9.0.2.v20130417
9.0.3.v20130506
9.0.4.v20130625
9.0.5.v20130815
9.0.6.v20130930
9.0.7.v20131107
9.1.0.M0
9.1.0.RC0
9.1.0.RC1
9.1.0.RC2
9.1.0.v20131115
9.1.1.v20140108
9.1.2.v20140210
9.1.3.v20140225
9.1.4.v20140401
9.1.5.v20140505
9.1.6.v20160112
9.2.0.M0
9.2.0.M1
9.2.0.RC0
9.2.0.v20140526
9.2.1.v20140609
9.2.2.v20140723
9.2.3.v20140905
9.2.4.v20141103
9.2.5.v20141112
9.2.6.v20141205
9.2.7.v20150116
9.2.8.v20150217
9.2.9.v20150224
9.2.10.v20150310
9.2.11.M0
9.2.11.v20150529
9.2.12.M0
9.2.12.v20150709
9.2.13.v20150730
9.2.14.v20151106
9.2.15.v20160210
9.2.16.v20160414
9.2.17.v20160517
9.2.18.v20160721
9.2.19.v20160908
9.2.20.v20161216
9.2.21.v20170120
9.2.22.v20170606
9.2.23.v20171218
9.2.24.v20180105
9.2.25.v20180606
9.2.26.v20180806
9.2.27.v20190403
9.2.28.v20190418
9.2.29.v20191105
9.2.30.v20200428
9.3.0.M0
9.3.0.M1
9.3.0.M2
9.3.0.RC0
9.3.0.RC1
9.3.0.v20150612
9.3.1.v20150714
9.3.2.v20150730
9.3.3.v20150827
9.3.4.RC0
9.3.4.RC1
9.3.4.v20151007
9.3.5.v20151012
9.3.6.v20151106
9.3.7.RC0
9.3.7.RC1
9.3.7.v20160115
9.3.8.RC0
9.3.8.v20160314
9.3.9.M0
9.3.9.M1
9.3.9.v20160517
9.3.10.M0
9.3.10.v20160621
9.3.11.M0
9.3.11.v20160721
9.3.12.v20160915
9.3.13.M0
9.3.13.v20161014
9.3.14.v20161028
9.3.15.v20161220
9.3.16.v20170120
9.3.17.RC0
9.3.17.v20170317
9.3.18.v20170406
9.3.19.v20170502
9.3.20.v20170531
9.3.21.M0
9.3.21.RC0
9.3.21.v20170918
9.3.22.v20171030
9.3.23.v20180228
9.3.24.v20180605
9.3.25.v20180904
9.3.26.v20190403
9.3.27.v20190418
9.3.28.v20191105
9.3.29.v20201019
9.3.30.v20211001
9.4.0.M0
9.4.0.M1
9.4.0.RC0
9.4.0.RC1
9.4.0.RC2
9.4.0.RC3
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503
9.4.11.v20180605
9.4.12.RC0
9.4.12.RC1
9.4.12.RC2
9.4.12.v20180830
9.4.13.v20181111
9.4.14.v20181114
9.4.15.v20190215
9.4.16.v20190411
9.4.17.v20190418
9.4.18.v20190429
9.4.19.v20190610
9.4.20.v20190813
9.4.21.v20190926
9.4.22.v20191022
9.4.23.v20191118
9.4.24.v20191120
9.4.25.v20191220
9.4.26.v20200117
9.4.27.v20200227
9.4.28.v20200408
9.4.29.v20200521
9.4.30.v20200611
9.4.31.v20200723
9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.2

Affected versions

10.*

10.0.0
10.0.1

Maven / org.eclipse.jetty:jetty-server

Package

Name
org.eclipse.jetty:jetty-server
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.2

Affected versions

11.*

11.0.0
11.0.1