Bug 2318564 (CVE-2024-8184)

Summary: CVE-2024-8184 org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abrianik, aprice, aschwart, asoldano, ataylor, bbaranow, bihu, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chazlett, chfoley, cmiranda, crizzo, csutherl, darran.lofthouse, dfreiber, dhanak, dkreling, dnakabaa, dosoudil, drichtar, drow, dsimansk, ecerquei, eric.wittmann, fjuma, fmariani, ggrzybek, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jburrell, jclere, jkoops, jpechane, jpoth, jrokos, jross, jsamir, jscholz, kaycoth, kgaikwad, kholdawa, kingland, kverlaen, lcouzens, lgao, matzew, mnovotny, mosmerov, mpierce, mposolda, mskarbek, msochure, msvehla, nipatil, nwallace, oezr, pantinor, parichar, pcongius, pdelbell, pdrozd, peholase, pesilva, pierdipi, pjindal, plodge, pmackay, pskopek, rguimara, rhuss, rkieley, rkubis, rmartinc, rowaters, rstancel, rstepani, sausingh, smaestri, ssilvert, sthorger, swoodman, szappis, tasato, tcunning, tom.jenkinson, vkumar, vmuzikar, wfink, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-14 16:01:27 UTC 
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
Comment 1 errata-xmlrpc 2024-11-13 16:21:21 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.8.0

Via RHSA-2024:9571 https://access.redhat.com/errata/RHSA-2024:9571
Comment 2 errata-xmlrpc 2024-12-12 20:01:18 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023
Comment 6 errata-xmlrpc 2025-03-05 20:59:24 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.0

Via RHSA-2025:2416 https://access.redhat.com/errata/RHSA-2025:2416