[Bug 1696062] New: CVE-2018-12545 jetty: large settings frames causing denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Bug ID: 1696062 Summary: CVE-2018-12545 jetty: large settings frames causing denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190320,reported=20190328,sour ce=cve,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/ I:L/A:L,cwe=CWE-400,fedora-all/jetty=affected,rhel-6/j etty-eclipse=notaffected,rhel-7/jetty=new,fuse-6/jetty =affected,fuse-7/jetty=affected,rhn_satellite_5/jetty= affected,rhscl-3/rh-java-common-jetty=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: bkearney@redhat.com, chazlett@redhat.com, decathorpe@gmail.com, eclipse-sig@lists.fedoraproject.org, ggainey@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jjohnstn@redhat.com, jorton@redhat.com, krzysztof.daniel@gmail.com, mizdebsk@redhat.com, sochotni@redhat.com, stewardship-sig@lists.fedoraproject.org, tlestach@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings
Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1696063
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1696088
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1696088]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1696088 [Bug 1696088] CVE-2018-12545 jetty: large settings frames causing denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Mikolaj Izdebski mizdebsk@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |security-response-team@redh | |at.com Flags| |needinfo?(security-response | |-team@redhat.com)
--- Comment #2 from Mikolaj Izdebski mizdebsk@redhat.com --- Can you provide reproducer and/or reference to upstream fix? I've checked upstream Bugzilla, Github issue tracker and git commit logs, but I can't find anything that relates to this vulnerability.
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response | |-team@redhat.com) |
--- Comment #3 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- In reply to comment #2:
Can you provide reproducer and/or reference to upstream fix? I've checked upstream Bugzilla, Github issue tracker and git commit logs, but I can't find anything that relates to this vulnerability.
https://github.com/eclipse/jetty.project/issues/2722 https://github.com/eclipse/jetty.project/commit/9eca404da296f48f7f97eff44e7d...
Hope this helps. There is no reproducer available at this moment
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
--- Comment #4 from Mikolaj Izdebski mizdebsk@redhat.com --- Thanks, that is enough information for me to fix the issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1696062 Bug 1696062 depends on bug 1696088, which changed state.
Bug 1696088 Summary: CVE-2018-12545 jetty: large settings frames causing denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1696088
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0320,reported=20190328,sour |0320,reported=20190328,sour |ce=cve,cvss3=4.2/CVSS:3.0/A |ce=cve,cvss3=4.2/CVSS:3.0/A |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |I:L/A:L,cwe=CWE-400,fedora- |I:L/A:L,cwe=CWE-400,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=notaffected,rh |etty-eclipse=notaffected,rh |el-7/jetty=new,fuse-6/jetty |el-7/jetty=new,fuse-6/jetty |=affected,fuse-7/jetty=affe |=affected,fuse-7/jetty=affe |cted,rhn_satellite_5/jetty= |cted,rhn_satellite_5/nutch= |affected,rhscl-3/rh-java-co |wontfix/impact=low,rhscl-3/ |mmon-jetty=affected |rh-java-common-jetty=affect | |ed
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
--- Comment #5 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
This issue affects the versions of jetty which is embedded in the nutch package as shipped with Red Hat Satellite 5. The jetty server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low in the context of Red Hat Satellite 5. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0320,reported=20190328,sour |0320,reported=20190328,sour |ce=cve,cvss3=4.2/CVSS:3.0/A |ce=cve,cvss3=4.2/CVSS:3.0/A |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |I:L/A:L,cwe=CWE-400,fedora- |I:L/A:L,cwe=CWE-400,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=notaffected,rh |etty-eclipse=notaffected,rh |el-7/jetty=new,fuse-6/jetty |el-7/jetty=new,fuse-6/jetty |=affected,fuse-7/jetty=affe |=affected,fuse-7/jetty=affe |cted,rhn_satellite_5/nutch= |cted,rhn_satellite_5/nutch= |wontfix/impact=low,rhscl-3/ |new/impact=low,rhscl-3/rh-j |rh-java-common-jetty=affect |ava-common-jetty=affected |ed |
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Joshua Padman jpadman@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0320,reported=20190328,sour |0320,reported=20190328,sour |ce=cve,cvss3=4.2/CVSS:3.0/A |ce=cve,cvss3=4.2/CVSS:3.0/A |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |V:N/AC:H/PR:N/UI:R/S:U/C:N/ |I:L/A:L,cwe=CWE-400,fedora- |I:L/A:L,cwe=CWE-400,fedora- |all/jetty=affected,rhel-6/j |all/jetty=affected,rhel-6/j |etty-eclipse=notaffected,rh |etty-eclipse=notaffected,rh |el-7/jetty=new,fuse-6/jetty |el-7/jetty=new,fuse-6/jetty |=affected,fuse-7/jetty=affe |=wontfix,fuse-7/jetty=affec |cted,rhn_satellite_5/nutch= |ted,rhn_satellite_5/nutch=n |new/impact=low,rhscl-3/rh-j |ew/impact=low,rhscl-3/rh-ja |ava-common-jetty=affected |va-common-jetty=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
--- Comment #6 from Joshua Padman jpadman@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.4.21
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1744376, 1744375
https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|jetty 9.4.21 |jetty 9.4.12
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com