Bug 1934116 (CVE-2020-27223)
| Summary: | CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abenaiss, aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, ataylor, bibryam, bmontgom, chazlett, drieden, eclipse-sig, eparis, etirelli, ganandan, ggaughan, gmalinko, gvarsami, hbraun, ibek, janstey, java-maint, java-sig-commits, jburrell, jcoleman, jjohnstn, jnethert, jochrist, jokerman, jstastny, jwon, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, mizdebsk, mnovotny, nstielau, nwallace, pantinor, pbhattac, pdrozd, pjindal, rrajasek, rschiron, rsynek, rwagner, sdaley, sd-operator-metering, sochotni, sponnaga, sthorger, tcunning, tflannag, tkirby, vbobade |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jetty-9.4.37.v20210219 jetty-10.0.1 jetty-11.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-29 10:41:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1891693, 1891694, 1891695, 1891703, 1905620, 1934117, 1936908, 1936909, 1936910, 1941532, 1941533, 1952337, 1952340, 1972361 | ||
| Bug Blocks: | 1934118 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-02 14:38:05 UTC
Created jetty tracking bugs for this issue: Affects: fedora-all [bug 1934117] Fixing commit: https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131 Commit (fix) contained in: jetty-10.0.1, jetty-11.0.1, jetty-9.4.37.v20210219, jetty-9.4.38.v20210224 Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse Service Works Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. External References: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7 A word on scoring, our scoring is currently 5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and NVD of 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H will change to 5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L My take: Exploitability Metrics: Attack Vector Network (AV:N) - Agree here, Jetty is both a HTTP server and client, in the context of this vulnerability it is the server that is affected, the component is commonly bound to the network stack and also commonly a WAN facing service. Attack Complexity Low (AC:L) Agree here, the attack complexity is low, although there is the complexity of application configuration making this attack less viable and should only expose the user when using one of the below features, we consider this configuration which we assume is in place for the purposes of the base score * Using the default error page/handler * Exposing StatisticsServlet to network traffic * Application using getLocale API * pre-compressed static content in the DefaultServlet is enabled Privileges Required None (PR:N) - Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw. User Interaction None (UI:N) Agree here, a user does not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the jetty service is configured with any of the prerequisite mentioned in the AC section Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw Impact Metrics: Confidentiality None (C:N) Agree here, there is no loss of confidentiality within the impacted component and nothing is disclosed to the attacker through this attack Integrity None (I:N) Agree here, there is no loss of integrity within the impacted component and no data is altered by the attacker Availability High (A:H) -> Availability Low (A:L) We disagree here, although this is a DoS attack there is not a total, sustained or serious loss of availability in all circumstances, all requests will continue to be handled but the CPU usage will increase, this may result in reduced performance or some interruptions in resource availability but the attacker doesn't have the ability to deny all resources to legitimate users at will. Statement: In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27223 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431 This issue has been addressed in the following products: Red Hat AMQ 7.8.2 Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689 This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407 |