Overview
Synopsys Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container. According the Eclipse Foundation’s website, “Jetty is used in a wide variety of projects and products, both in development and production. Jetty has long been loved by developers due to its long history of being easily embedded in devices, tools, frameworks, application servers, and modern cloud services.”
When Jetty handles a request containing an Accept header with a large number of quality factorparameters (the q values in an Accept header), the server may enter a denial of service state due to high CPU usage. Synopsys researchers believe this to be the result of a vulnerability found in the sort method of the org.eclipse.jetty.http.QuotedQualityCSV class:
The only features within Jetty that can trigger this behaviour are:
- Default Error Handling – the `Accept` request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
- StatisticsServlet – uses the `Accept` request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
- HttpServletRequest.getLocale() – uses the `Accept-Language` request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
- HttpservletRequest.getLocales() – is similar to the above but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.
- DefaultServlet – uses the `Accept-Encoding` request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)
When the server encounters a request in which the number of sorted items are sufficiently large and the value of the values in an q parameter is sufficiently diverse, the sorting arrays cause a spike in CPU usage. Synopsys researchers have not observed memory leaks or crashes as a result of this behaviour; however, the server may take minutes to process a single request whose size is in the tens of kilobytes range. Researchers observed an exponential relationship between the size of the request and the duration of CPU use.
Affected software
- Eclipse Jetty version 9.4.6.v20170531 through 9.4.36.v20210114
- Eclipse Jetty version 10.0.0
- Eclipse Jetty version 11.0.0
Impact
- CVSS 3.1 score
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Score: 5.3 (Medium)
Exploitability metrics:
- Attack vector (AV): N = Network
- Attack complexity (AC): L = Low
- Privileges required (PR): N = None
- User interaction (UI): N = None
- Scope (S): U = Unchanged
Impact metrics:
- Confidentiality impact (C): N = None
- Integrity impact (I): N = None
- Availability impact (A): L = Low
Remediation
Software vendors and users of Jetty are strongly encouraged to upgrade to 9.4.38.v20210224, 10.0.1, or 11.0.1
Discovery credit
A team of researchers from Synopsys Cybersecurity Research Center in Oulu, Finland, discovered the issue using the Defensics® fuzz testing tool:
- Matti Varanka
- Tero Rontti
Synopsys would like to thank the Webtide team, the maintainers of Jetty, for their responsiveness and for addressing this matter in a timely manner.
Timeline
- January 5, 2021: Vulnerability discovered in Jetty
- February 10, 2021: Vulnerability disclosed to Webtide, the maintainers of Jetty
- February 11, 2021: Webtide confirms the Jetty vulnerability and assigns CVE-2020-27223
- February 22, 2021: Webtide publishes fix
- February 26, 2021: Vulnerability advisory for CVE-2020-27223 is published
