GHSA-r7m4-f9h5-gr79

Описание

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

• https://github.com/jetty/jetty.project/pull/9715
• https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

• not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
• reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
• configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

• https://github.com/jetty/jetty.project/pull/10756
• https://github.com/jetty/jetty.project/pull/10755