Impact
When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.
The only features within Jetty that can trigger this behavior are:
- Default Error Handling - the
Accept request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
StatisticsServlet - uses the Accept request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)HttpServletRequest.getLocale() - uses the Accept-Language request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the Accept-Language request header.DefaultServlet - uses the Accept-Encoding request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)
Versions
QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531.
Currently, known vulnerable versions include:
- 9.4.6.v20170531 thru to 9.4.36.v20210114
- 10.0.0
- 11.0.0
Workarounds
Quality ordered values are used infrequently by jetty so they can be avoided by:
- Do not use the default error page/handler.
- Do not deploy the
StatisticsServlet exposed to the network
- Do not call
getLocale API
- Do not enable precompressed static content in the
DefaultServlet
Patches
All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php
- 9.4.37.v20210219 and greater
- 10.0.1 and greater
- 11.0.1 and greater
References
trontti Analyst
snps-mtv Analyst
bronallo-bd Analyst
Impact
When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the
Accept,Accept-Encoding, andAccept-Languagerequest headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.The only features within Jetty that can trigger this behavior are:
Acceptrequest header with theQuotedQualityCSVis used to determine what kind of content to send back to the client (html, text, json, xml, etc)StatisticsServlet- uses theAcceptrequest header with theQuotedQualityCSVto determine what kind of content to send back to the client (xml, json, text, html, etc)HttpServletRequest.getLocale()- uses theAccept-Languagerequest header with theQuotedQualityCSVto determine which “preferred” language is returned on this call.HttpservletRequest.getLocales()- is similar to the above, but returns an ordered list of locales based on the quality values on theAccept-Languagerequest header.DefaultServlet- uses theAccept-Encodingrequest header with theQuotedQualityCSVto determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)Versions
QuotedQualityCSVwas introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531.Currently, known vulnerable versions include:
Workarounds
Quality ordered values are used infrequently by jetty so they can be avoided by:
StatisticsServletexposed to the networkgetLocaleAPIDefaultServletPatches
All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php
References