Fluid Attacks Database

Description

Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

Impact

Remote DOS attack can cause out of memory

Description

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

Affected Versions

Jetty 12.0.0-12.0.8 (Supported)

Jetty 11.0.0-11.0.23 (EOL)

Jetty 10.0.0-10.0.23 (EOL)

Jetty 9.3.12-9.4.55 (EOL)

Patched Versions

Jetty 12.0.9

Jetty 11.0.24

Jetty 10.0.24

Jetty 9.4.56

Workarounds

Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.

References

Jetty 12 - https://github.com/jetty/jetty.project/pull/11723

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	jetty9	=9.4.50-4 \|\| =9.4.50-4+deb12u1 \|\| =9.4.50-4+deb12u2 \|\| =9.4.50-4+deb12u3 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| >=0 <9.4.57-0+deb12u1	9.4.57-0+deb12u1
debian 11	jetty9	=9.4.39-3 \|\| =9.4.39-3+deb11u1 \|\| =9.4.39-3+deb11u2 \|\| =9.4.44-1 \|\| =9.4.44-2 \|\| =9.4.44-3 \|\| =9.4.44-4 \|\| =9.4.45-1 \|\| =9.4.46-1 \|\| =9.4.48-1 \|\| =9.4.49-1 \|\| =9.4.49-1.1 \|\| =9.4.50-1 \|\| =9.4.50-1~bpo11+1 \|\| =9.4.50-2 \|\| =9.4.50-3 \|\| =9.4.50-4 \|\| =9.4.50-4+deb11u1 \|\| =9.4.50-4+deb11u2 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| >=0 <9.4.57-0+deb11u1	9.4.57-0+deb11u1
debian 13	jetty9	>=0 <9.4.56-1	9.4.56-1
debian 14	jetty9	>=0 <9.4.56-1	9.4.56-1
maven	org.eclipse.jetty:jetty-server	>=12.0.0 <12.0.9 \|\| >=10.0.0 <10.0.24 \|\| >=11.0.0 <11.0.24 \|\| >=9.3.12 <9.4.56	12.0.9, 10.0.24, 11.0.24, 9.4.56

Aliases

1. CVE-2024-81842. NVD-2024-81843. OSV-DEBIAN-2024-81844. OSV-2024-81845. GHSA-g8m5-722r-8whq6. GCVE-2024-81847. SECURITY-TRACKER-CVE-2024-81848. lists.debian.org

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq2. https://github.com/jetty/jetty.project/pull/117233. https://gitlab.eclipse.org/security/cve-assignement/-/issues/30

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.