Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/10/18/4 | Mailing List Third Party Advisory |
https://github.com/eclipse/jetty.project/pull/9634 | Issue Tracking Patch |
https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 | Release Notes |
https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 | Release Notes |
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 | Release Notes |
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r | Exploit Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html | Mailing List |
https://security.netapp.com/advisory/ntap-20231116-0011/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20240621-0006/ | |
https://www.debian.org/security/2023/dsa-5540 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Feb 2024, 18:40
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
|
First Time |
Debian
Debian debian Linux |
|
References | () https://security.netapp.com/advisory/ntap-20231116-0011/ - Third Party Advisory | |
References | (MISC) https://www.debian.org/security/2023/dsa-5540 - Third Party Advisory | |
References | (MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html - Mailing List |
16 Nov 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Oct 2023, 07:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Oct 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-400 |
27 Oct 2023, 19:12
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* |
|
References | (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r - Exploit, Vendor Advisory | |
References | (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 - Release Notes | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/10/18/4 - Mailing List, Third Party Advisory | |
References | (MISC) https://github.com/eclipse/jetty.project/pull/9634 - Issue Tracking, Patch | |
References | (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 - Release Notes | |
References | (MISC) https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 - Release Notes | |
First Time |
Jenkins jenkins
Eclipse Jenkins Eclipse jetty |
|
CWE | CWE-190 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
18 Oct 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-400 |
|
References |
|
10 Oct 2023, 17:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-10 17:15
Updated : 2024-06-21 19:15
NVD link : CVE-2023-36478
Mitre link : CVE-2023-36478
CVE.ORG link : CVE-2023-36478
JSON object : View
Products Affected
debian
- debian_linux
eclipse
- jetty
jenkins
- jenkins