https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Bug ID: 1945714 Summary: CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, ataylor@redhat.com, bibryam@redhat.com, bmontgom@redhat.com, chazlett@redhat.com, dbecker@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, eric.wittmann@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, jburrell@redhat.com, jjohnstn@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jross@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, lhh@redhat.com, lpeer@redhat.com, mat.booth@gmail.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, nstielau@redhat.com, pantinor@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, sclewis@redhat.com, scohen@redhat.com, slinaber@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, swoodman@redhat.com, tzimanyi@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1945715
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1945715 [Bug 1945715] CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1945715]
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1945716
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.4.39, jetty 10.0.2, | |jetty 11.0.2
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #2 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-...
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abenaiss@redhat.com, | |aos-bugs@redhat.com, | |pbhattac@redhat.com, | |sd-operator-metering@redhat | |.com, tflannag@redhat.com, | |vbobade@redhat.com
--- Doc Text *updated* --- When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #3 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1947811, 1947810
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|akoufoud@redhat.com, | |alazarot@redhat.com, | |almorale@redhat.com, | |anstephe@redhat.com, | |etirelli@redhat.com, | |ibek@redhat.com, | |jstastny@redhat.com, | |krathod@redhat.com, | |kverlaen@redhat.com, | |mnovotny@redhat.com, | |pjindal@redhat.com, | |rrajasek@redhat.com, | |tzimanyi@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #7 from Przemyslaw Roguski proguski@redhat.com --- Upstream PR: https://github.com/eclipse/jetty.project/pull/6073 https://github.com/eclipse/jetty.project/pull/6074
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #9 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #10 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952069, 1952068
https://bugzilla.redhat.com/show_bug.cgi?id=1945714 Bug 1945714 depends on bug 1945715, which changed state.
Bug 1945715 Summary: CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1945715
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Developer Tools
Via RHSA-2021:1509 https://access.redhat.com/errata/RHSA-2021:1509
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-05-06 20:34:09
--- Comment #18 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-28165
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.6.4
Via RHSA-2021:1560 https://access.redhat.com/errata/RHSA-2021:1560
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.7
Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.2
Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
David Hernández Fernández dahernan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1987180
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Adam Kaplan adam.kaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1972366
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1972366 [Bug 1972366] Bump jenkins version to 2.289.1
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.8.0
Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1945714 Bug 1945714 depends on bug 1972366, which changed state.
Bug 1972366 Summary: Bump jenkins version to 2.289.1 https://bugzilla.redhat.com/show_bug.cgi?id=1972366
What |Removed |Added ---------------------------------------------------------------------------- Status|RELEASE_PENDING |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko@redhat.com, | |krathod@redhat.com, | |pdrozd@redhat.com, | |pjindal@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.9.0
Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |krathod@redhat.com, | |pdrozd@redhat.com, | |pjindal@redhat.com, | |sthorger@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHAF Camel-K 1.8
Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:6407
eclipse-sig@lists.stg.fedoraproject.org