CVE-2018-12545
Denial of Service vulnerability in jetty-server (Maven)
What is CVE-2018-12545 About?
This vulnerability in Eclipse Jetty allows for a denial of service condition when remote clients send large or numerous HTTP/2 SETTINGS frames. The server expends excessive CPU and memory processing these frames, making it relatively easy for an attacker to disrupt service.
Affected Software
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.25.v20180904
- >9.4.0, <9.4.12.v20180830
Technical Details
In Eclipse Jetty versions 9.3.x and 9.4.x, the server is susceptible to Denial of Service (DoS) attacks via HTTP/2 SETTINGS frames. This occurs when a remote client sends either a single large SETTINGS frame containing numerous settings, or many small SETTINGS frames. The vulnerability stems from the additional CPU and memory allocations required by Jetty to handle and process these changed settings. This excessive resource consumption can lead to system degradation or unresponsiveness, effectively denying service to legitimate users.
What is the Impact of CVE-2018-12545?
Successful exploitation may allow attackers to exhaust server resources, leading to a denial of service and making the application or service unavailable to legitimate users.
What is the Exploitability of CVE-2018-12545?
Exploitation is relatively straightforward for an attacker who can send HTTP/2 requests to the vulnerable Jetty server. The complexity is low to medium, as it primarily involves crafting and sending specific types or quantities of SETTINGS frames. No authentication or specific privileges are required for this remote attack. The main prerequisite is that the Jetty server must be configured to use HTTP/2. The risk of exploitation increases in publicly accessible services, as it allows unauthenticated attackers to disrupt service availability with minimal effort.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-12545?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.25.v20180904 → Upgrade to 9.3.25.v20180904
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.12.v20180830 → Upgrade to 9.4.12.v20180830
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79%40%3Cnotifications.accumulo.apache.org%3E
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
- https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2%40%3Ccommits.accumulo.apache.org%3E
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6
- https://osv.dev/vulnerability/GHSA-h2f4-v4c4-6wx4
- https://nvd.nist.gov/vuln/detail/CVE-2018-12545
What are Similar Vulnerabilities to CVE-2018-12545?
Similar Vulnerabilities: CVE-2017-7657 , CVE-2017-7658 , CVE-2017-7659 , CVE-2017-9799 , CVE-2017-1000382
