Описание
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | org.eclipse.jetty/jetty-servlets | Not affected | ||
| Red Hat build of Apicurio Registry 2 | org.eclipse.jetty/jetty-servlets | Not affected | ||
| Red Hat build of Debezium 2 | org.eclipse.jetty/jetty-servlets | Not affected | ||
| Red Hat Build of Keycloak | org.eclipse.jetty/jetty-servlets | Will not fix | ||
| Red Hat Data Grid 8 | org.eclipse.jetty/jetty-servlets | Not affected | ||
| Red Hat Fuse 7 | org.eclipse.jetty/jetty-servlets | Out of support scope | ||
| Red Hat Integration Camel K 1 | org.eclipse.jetty/jetty-servlets | Will not fix | ||
| Red Hat JBoss Data Grid 7 | org.eclipse.jetty/jetty-servlets | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | org.eclipse.jetty/jetty-servlets | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.eclipse.jetty/jetty-servlets | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
There exists a security vulnerability in Jetty's DosFilter which can b ...
Eclipse Jetty has a denial of service vulnerability on DosFilter
EPSS
5.3 Medium
CVSS3