[GHSA-h2f4-v4c4-6wx4] Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server

[Meet003118]

Updates

• Affected products
• References

Comments
Two updates are made:

1. Removed patched version for 9.3.x version range:

The CVE describes two attack vectors - a single large SETTINGS frame with many keys, and many small SETTINGS frames.

The fix can be traced to commit: jetty/jetty.project@9eca404 and PR: jetty/jetty.project#2723 - Improve configurability for SETTINGS frames, which :

• Introduces DEFAULT_MAX_KEYS = 64 in SettingsFrame.java
• Adds a running keys counter in SettingsBodyParser.java that is NOT reset between frames (covering both attack vectors)
• Includes two explicit tests:testGenerateParseTooManySettingsInOneFrame and testGenerateParseTooManySettingsInMultipleFrames that directly validate both CVE attack scenarios

This was also independently confirmed in a bugzilla report : https://bugzilla.redhat.com/show_bug.cgi?id=1696062#c3

Commit 9eca404 was only merged into the 9.4.x branch and shipped in version 9.4.12.RC1. It was never backported to 9.3.x. This can be verified by inspecting SettingsBodyParser.java directly on the 9.3.x branch - the maxKeys guard and DEFAULT_MAX_KEYS constant are both absent across all 9.3.x versions including 9.3.25.v20180904.

The 9.3.x patched version stated in the advisory is therefore incorrect.

2. Updated affected package based on correct fix commit:

The vulnerable and patched code resides in org.eclipse.jetty.http2:http2-common (SettingsBodyParser.java), not in GA : org.eclipse.jetty:jetty-server, jetty-server contains no HTTP/2 frame parsing logic.

[JonathanLEvans]

🤔 We seem to have taken the fixed versions from this comment. jetty/jetty.project#2722 (which jetty/jetty.project#2723 fixes) says it is addressing CVE-2019-9515, though the vulnerabilities seem related. I will take a closer look.

[Meet003118]

Hi @JonathanLEvans,

Any update on this issue ?

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[Meet003118]

Hi Team, @JonathanLEvans, @shelbyc

Any update on this PR?

[advisory-database]

Hi @Meet003118! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!