[jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)

WCM RnD (Jira) Fri, 07 May 2021 06:55:03 -0700


     [ 
https://issues.apache.org/jira/browse/SOLR-15325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


WCM RnD updated SOLR-15325:
---------------------------
    Description: 
High security vulnerability ahs been reported in the Jetty jar bundled within 
Solr:

*Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server - CVE-2020-27223 
(+1)*
h1. Vulnerability Details
h2. CVE-2020-27223

*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
 *Vulnerability Published:* 2021-02-26 17:15 EST
 *Vulnerability Updated:* 2021-03-05 16:25 EST
 *CVSS Score:* 7.5 (overall), 7.5 (base)

*Summary*: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 
10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept 
headers with a large number of “quality” (i.e. q) parameters, the server may 
enter a denial of service (DoS) state due to high CPU usage processing those 
quality values, resulting in minutes of CPU time exhausted processing those 
quality values.

*Solution*: N/A

*Workaround*: N/A
h2. BDSA-2020-4221

*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
 *Vulnerability Published:* 2021-03-01 06:37 EST
 *Vulnerability Updated:* 2021-03-01 06:37 EST
 *CVSS Score:* 4.6 (overall), 5.3 (base)

*Summary*: Jetty is vulnerable to denial-of-service (DoS) due to the use of an 
exponential algorithm that can have excessive resource requirements. A remote 
attacker could cause a vulnerable server to become unresponsive by sending 
maliciously crafted HTTP requests to that server.

*Solution*: Fixed by 
[this|https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131]
 commit in:
 * [*11.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.1]
 * [*10.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.1]
 * 
[*9.4.37.v20210219*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]

 

 

Jetty library needs to be updated to  
*[9.4.37.v20210219|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]*
 or above. ** 

  was:
High security vulnerability ahs been reported in the Jetty jar bundled within 
Solr:

*Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server - CVE-2020-27223 
(+1)*
h1. Vulnerability Details
h2. CVE-2020-27223

*Vulnerability Details in BlackDuck:* see 
[CVE-2020-27223|https://blackduck.opentext.net/api/vulnerabilities/CVE-2020-27223]
 *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
 *Vulnerability Published:* 2021-02-26 17:15 EST
 *Vulnerability Updated:* 2021-03-05 16:25 EST
 *CVSS Score:* 7.5 (overall), 7.5 (base)

*Summary*: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 
10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept 
headers with a large number of “quality” (i.e. q) parameters, the server may 
enter a denial of service (DoS) state due to high CPU usage processing those 
quality values, resulting in minutes of CPU time exhausted processing those 
quality values.

*Solution*: N/A

*Workaround*: N/A
h2. BDSA-2020-4221

*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
 *Vulnerability Published:* 2021-03-01 06:37 EST
 *Vulnerability Updated:* 2021-03-01 06:37 EST
 *CVSS Score:* 4.6 (overall), 5.3 (base)

*Summary*: Jetty is vulnerable to denial-of-service (DoS) due to the use of an 
exponential algorithm that can have excessive resource requirements. A remote 
attacker could cause a vulnerable server to become unresponsive by sending 
maliciously crafted HTTP requests to that server.

*Solution*: Fixed by 
[this|https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131]
 commit in:
 * [*11.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.1]
 * [*10.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.1]
 * 
[*9.4.37.v20210219*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]

 

 

Jetty library needs to be updated to  
*[9.4.37.v20210219|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]*
 or above. ** 


> High security vulnerability in Jetty library bundled within Solr - 
> CVE-2020-27223 (+1)
> --------------------------------------------------------------------------------------
>
>                 Key: SOLR-15325
>                 URL: https://issues.apache.org/jira/browse/SOLR-15325
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.8.1
>            Reporter: WCM RnD
>            Priority: Critical
>
> High security vulnerability ahs been reported in the Jetty jar bundled within 
> Solr:
> *Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server - 
> CVE-2020-27223 (+1)*
> h1. Vulnerability Details
> h2. CVE-2020-27223
> *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
> Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
>  *Vulnerability Published:* 2021-02-26 17:15 EST
>  *Vulnerability Updated:* 2021-03-05 16:25 EST
>  *CVSS Score:* 7.5 (overall), 7.5 (base)
> *Summary*: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 
> 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept 
> headers with a large number of “quality” (i.e. q) parameters, the server may 
> enter a denial of service (DoS) state due to high CPU usage processing those 
> quality values, resulting in minutes of CPU time exhausted processing those 
> quality values.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2020-4221
> *Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket 
> Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
>  *Vulnerability Published:* 2021-03-01 06:37 EST
>  *Vulnerability Updated:* 2021-03-01 06:37 EST
>  *CVSS Score:* 4.6 (overall), 5.3 (base)
> *Summary*: Jetty is vulnerable to denial-of-service (DoS) due to the use of 
> an exponential algorithm that can have excessive resource requirements. A 
> remote attacker could cause a vulnerable server to become unresponsive by 
> sending maliciously crafted HTTP requests to that server.
> *Solution*: Fixed by 
> [this|https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131]
>  commit in:
>  * 
> [*11.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.1]
>  * 
> [*10.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.1]
>  * 
> [*9.4.37.v20210219*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]
>  
>  
> Jetty library needs to be updated to  
> *[9.4.37.v20210219|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]*
>  or above. ** 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

[jira] [Updated] (SOLR-15325) High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)

Reply via email to