https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Bug ID: 1934116 Summary: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: abenaiss@redhat.com, aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, aos-bugs@redhat.com, ataylor@redhat.com, bibryam@redhat.com, bmontgom@redhat.com, chazlett@redhat.com, drieden@redhat.com, eclipse-sig@lists.fedoraproject.org, eparis@redhat.com, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hbraun@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcoleman@redhat.com, jjohnstn@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, mat.booth@redhat.com, mcermak@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, mprchlik@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pantinor@redhat.com, patrickm@redhat.com, pbhattac@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, sd-operator-metering@redhat.com, sochotni@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, tcunning@redhat.com, tflannag@redhat.com, tkirby@redhat.com, vbobade@redhat.com, vkadlcik@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-...
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1934117
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1934117 [Bug 1934117] CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1934117]
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1934118
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty-9.4.37.v20210219 | |jetty-10.0.1 jetty-11.0.1
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #4 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #5 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse Service Works
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891693
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891694
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1905620
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891703
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1891695
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #8 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-...
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1936910, 1936908, 1936909
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #10 from Jonathan Christison jochrist@redhat.com --- A word on scoring, our scoring is currently 5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and NVD of 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H will change to 5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
My take:
Exploitability Metrics:
Attack Vector Network (AV:N) - Agree here, Jetty is both a HTTP server and client, in the context of this vulnerability it is the server that is affected, the component is commonly bound to the network stack and also commonly a WAN facing service.
Attack Complexity Low (AC:L) Agree here, the attack complexity is low, although there is the complexity of application configuration making this attack less viable and should only expose the user when using one of the below features, we consider this configuration which we assume is in place for the purposes of the base score
* Using the default error page/handler * Exposing StatisticsServlet to network traffic * Application using getLocale API * pre-compressed static content in the DefaultServlet is enabled
Privileges Required None (PR:N) - Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw.
User Interaction None (UI:N) Agree here, a user does not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the jetty service is configured with any of the prerequisite mentioned in the AC section
Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw
Impact Metrics:
Confidentiality None (C:N) Agree here, there is no loss of confidentiality within the impacted component and nothing is disclosed to the attacker through this attack
Integrity None (I:N) Agree here, there is no loss of integrity within the impacted component and no data is altered by the attacker
Availability High (A:H) -> Availability Low (A:L) We disagree here, although this is a DoS attack there is not a total, sustained or serious loss of availability in all circumstances, all requests will continue to be handled but the CPU usage will increase, this may result in reduced performance or some interruptions in resource availability but the attacker doesn't have the ability to deny all resources to legitimate users at will.
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment #2 is|1 |0 private| | CC| |rschiron@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1941533, 1941532
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #13 from Przemyslaw Roguski proguski@redhat.com --- Statement:
In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rele...
https://bugzilla.redhat.com/show_bug.cgi?id=1934116 Bug 1934116 depends on bug 1934117, which changed state.
Bug 1934117 Summary: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1934117
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952337
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Vibhav Bobade vbobade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1952340
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Adam Kaplan adam.kaplan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1972361
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1972361 [Bug 1972361] Bump jenkins version to 2.289.1
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.6
Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2499
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-06-29 10:41:05
--- Comment #18 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-27223
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2517
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2431
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.2
Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1934116 Bug 1934116 depends on bug 1972361, which changed state.
Bug 1972361 Summary: Bump jenkins version to 2.289.1 https://bugzilla.redhat.com/show_bug.cgi?id=1972361
What |Removed |Added ---------------------------------------------------------------------------- Status|RELEASE_PENDING |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.9.0
Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Integration
Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:4767
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHAF Camel-K 1.8
Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:6407
eclipse-sig@lists.stg.fedoraproject.org