Skip to content

DOS vulnerability for Quoted Quality CSV headers

Moderate
waynebeaton published GHSA-m394-8rww-3jr7 Feb 26, 2021

Package

maven org.eclipse.jetty:jetty-server (Maven)

Affected versions

9.4.6.v20170531 - 9.4.36.v20210114, 10.0.0, 11.0.0

Patched versions

9.4.37.v20210219, 10.0.1, 11.0.1

Description

Impact

When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.

The only features within Jetty that can trigger this behavior are:

  • Default Error Handling - the Accept request header with the QuotedQualityCSV is used to determine what kind of content to send back to the client (html, text, json, xml, etc)
  • StatisticsServlet - uses the Accept request header with the QuotedQualityCSV to determine what kind of content to send back to the client (xml, json, text, html, etc)
  • HttpServletRequest.getLocale() - uses the Accept-Language request header with the QuotedQualityCSV to determine which “preferred” language is returned on this call.
  • HttpservletRequest.getLocales() - is similar to the above, but returns an ordered list of locales based on the quality values on the Accept-Language request header.
  • DefaultServlet - uses the Accept-Encoding request header with the QuotedQualityCSV to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)

Versions

QuotedQualityCSV was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531.

Currently, known vulnerable versions include:

  • 9.4.6.v20170531 thru to 9.4.36.v20210114
  • 10.0.0
  • 11.0.0

Workarounds

Quality ordered values are used infrequently by jetty so they can be avoided by:

  • Do not use the default error page/handler.
  • Do not deploy the StatisticsServlet exposed to the network
  • Do not call getLocale API
  • Do not enable precompressed static content in the DefaultServlet

Patches

All patches are available for download from the Eclipse Jetty website at https://www.eclipse.org/jetty/download.php

  • 9.4.37.v20210219 and greater
  • 10.0.1 and greater
  • 11.0.1 and greater

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2020-27223

Weaknesses

Credits