CVE-2021-28165
Denial of Service vulnerability in jetty-server (Maven)
What is CVE-2021-28165 About?
This vulnerability in Jetty's SSL/TLS handling leads to a Denial of Service. An attacker can send an oversized, malformed TLS frame, causing the server's CPU to reach 100% saturation. This is relatively easy to exploit as it only requires sending a specially crafted network packet.
Affected Software
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.2
- >11.0.0, <11.0.2
- >7.2.2, <9.4.39
Technical Details
The vulnerability arises when Jetty (using SSL/TLS with HTTP/1.1, HTTP/2, or WebSocket) receives an invalidly large TLS frame (greater than 17408 bytes). The server incorrectly processes this oversized frame, leading to an infinite loop or excessive resource consumption within the TLS decryption or processing logic. This ultimately causes the server's CPU to become fully utilized, rendering it unresponsive and thus achieving a Denial of Service.
What is the Impact of CVE-2021-28165?
Successful exploitation may allow attackers to cause a Denial of Service, making the system or application unavailable to legitimate users.
What is the Exploitability of CVE-2021-28165?
Exploitation of this vulnerability is of moderate complexity, requiring specific knowledge of TLS frame structures. It does not require authentication or elevated privileges. The attack is remote, as it involves sending specially crafted network traffic to the vulnerable server's SSL/TLS endpoint. The primary risk factor is the server's exposure to untrusted network input, making any publicly accessible Jetty instance vulnerable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| uthrasri | Link | PoC for CVE-2021-28165 |
What are the Available Fixes for CVE-2021-28165?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >7.2.2, <9.4.39 → Upgrade to 9.4.39
- org.eclipse.jetty:jetty-server
- >10.0.0, <10.0.2 → Upgrade to 10.0.2
- org.eclipse.jetty:jetty-server
- >11.0.0, <11.0.2 → Upgrade to 11.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E
- https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E
- https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E
- https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-28165?
Similar Vulnerabilities: CVE-2015-0205 , CVE-2016-2107 , CVE-2017-3731 , CVE-2019-1559 , CVE-2020-1967
