Eclipse Jetty Web Server Vulnerable to Denial of Service Attacks

CVECVE-2023-36478
CVSScvssV3_1: 7.5
SourceCVE-2023-36478

Eclipse Jetty is an open source web server and servlet container that is used by many organizations. Unfortunately, versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 of Jetty were found to be vulnerable to denial of service attacks.

The vulnerability lies in how Jetty handles HPACK header values during HTTP/2 requests. Due to an integer overflow issue, very large header values could be passed to Jetty without throwing an error. This would allow attackers to send requests with exaggerated header sizes that could potentially allocate huge amounts of server memory.

With enough of these malicious requests, servers running vulnerable Jetty versions could be flooded to the point of crashing or becoming unavailable. This type of denial of service attack aims to overwhelm website resources and prevent legitimate users from accessing the site.

The good news is that this issue has now been addressed in newer Jetty releases. Users are advised to upgrade to versions 11.0.16 or higher to protect themselves from exploitation. Proper security updates and patching of software components is also important for mitigating denial of service and other vulnerabilities.

References