Fluid Attacks Database

Description

Eclipse Jetty's PushSessionCacheFilter can cause remote DoS attacks

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

https://github.com/jetty/jetty.project/pull/9715

https://github.com/jetty/jetty.project/pull/9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.

reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.

configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

https://github.com/jetty/jetty.project/pull/10756

https://github.com/jetty/jetty.project/pull/10755

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	jetty9	=9.4.50-4 \|\| =9.4.50-4+deb12u1 \|\| =9.4.50-4+deb12u2 \|\| =9.4.50-4+deb12u3 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| >=0 <9.4.57-0+deb12u1	9.4.57-0+deb12u1
debian 13	jetty9	>=0 <9.4.54-1	9.4.54-1
debian 14	jetty9	>=0 <9.4.54-1	9.4.54-1
debian 11	jetty9	=9.4.39-3 \|\| =9.4.39-3+deb11u1 \|\| =9.4.39-3+deb11u2 \|\| =9.4.44-1 \|\| =9.4.44-2 \|\| =9.4.44-3 \|\| =9.4.44-4 \|\| =9.4.45-1 \|\| =9.4.46-1 \|\| =9.4.48-1 \|\| =9.4.49-1 \|\| =9.4.49-1.1 \|\| =9.4.50-1 \|\| =9.4.50-1~bpo11+1 \|\| =9.4.50-2 \|\| =9.4.50-3 \|\| =9.4.50-4 \|\| =9.4.50-4+deb11u1 \|\| =9.4.50-4+deb11u2 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| >=0 <9.4.57-0+deb11u1	9.4.57-0+deb11u1
maven	org.eclipse.jetty:jetty-servlets	>=10.0.0 <10.0.18 \|\| >=11.0.0 <11.0.18 \|\| >=12.0.0 <12.0.4	10.0.18, 11.0.18, 12.0.4

Aliases

1. CVE-2024-67622. NVD-2024-67623. OSV-DEBIAN-2024-67624. OSV-2024-67625. GHSA-r7m4-f9h5-gr796. GCVE-2024-67627. SECURITY-TRACKER-CVE-2024-67628. lists.debian.org

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr792. https://github.com/jetty/jetty.project/pull/107553. https://github.com/jetty/jetty.project/pull/107564. https://github.com/jetty/jetty.project/pull/97155. https://github.com/jetty/jetty.project/pull/97166. https://gitlab.eclipse.org/security/cve-assignement/-/issues/24

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.