Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-28165

Опубликовано: 01 апр. 2021
Источник: redhat
CVSS3: 7.5
EPSS Средний

Описание

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.

Отчет

In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat CodeReady Studio 12jetty-serverAffected
Red Hat Enterprise Linux 7jettyOut of support scope
Red Hat Enterprise Linux 8eclipse:rhel8/jettyWill not fix
Red Hat Integration Service Registryjetty-serverAffected
Red Hat JBoss A-MQ 6jetty-serverOut of support scope
Red Hat JBoss Fuse 6jettyOut of support scope
Red Hat JBoss Fuse 6jetty-serverOut of support scope
Red Hat OpenShift Container Platform 3.11jenkinsAffected
Red Hat OpenShift Container Platform 4openshift4/ose-metering-hadoopWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-metering-hiveWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1945714jetty: Resource exhaustion when receiving an invalid large TLS frame

EPSS

Процентиль: 93%
0.10511
Средний

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-28165

CVSS3: 7.5
ubuntu
почти 5 лет назад

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

nvd логотип

CVE-2021-28165

CVSS3: 7.5
nvd
почти 5 лет назад

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

debian логотип

CVE-2021-28165

CVSS3: 7.5
debian
почти 5 лет назад

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0. ...

github логотип

GHSA-26vr-8j45-3r4w

CVSS3: 7.5
github
почти 5 лет назад

Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources

fstec логотип

BDU:2022-05507

CVSS3: 7.5
fstec
почти 5 лет назад

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 93%
0.10511
Средний

7.5 High

CVSS3