Improper resource allocation In org.eclipse.jetty:jetty-deploy
Description
OutOfMemoryError for large multipart without filename in Eclipse Jetty
Impact
Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and a very large content.
This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk.
An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError.
However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.
A very large number of parts may cause the same problem.
Patches
Patched in Jetty versions
9.4.51.v20230217 - via PR #9345
10.0.14 - via PR #9344
11.0.14 - via PR #9344
Workarounds
Multipart parameter maxRequestSize must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Limiting multipart parameter maxFileSize won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.
References
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | - | ||
maven | - | ||
maven | 9.4.51.v20230217, 10.0.14, 11.0.14 | ||
 debian 11 | 9.4.39-3+deb11u2 | ||
debian 12 | 9.4.50-4+deb12u1 | ||
debian 13 | 9.4.52-1 | ||
debian 14 | 9.4.52-1 | ||
maven | - | ||
maven | - | ||
maven | - |
1-10 of 12
10
Aliases
References