https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Bug ID: 1696062
Summary: CVE-2018-12545 jetty: large settings frames causing
denial of service
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190320,reported=20190328,sour
ce=cve,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/
I:L/A:L,cwe=CWE-400,fedora-all/jetty=affected,rhel-6/j
etty-eclipse=notaffected,rhel-7/jetty=new,fuse-6/jetty
=affected,fuse-7/jetty=affected,rhn_satellite_5/jetty=
affected,rhscl-3/rh-java-common-jetty=affected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: bkearney(a)redhat.com, chazlett(a)redhat.com,
decathorpe(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
ggainey(a)redhat.com, hhorak(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jorton(a)redhat.com,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
tlestach(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of
Service conditions if a remote client sends either large SETTINGs frames
container containing many settings, or many small SETTINGs frames. The
vulnerability is due to the additional CPU and memory allocations required to
handle changed settings
Reference:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
--
You are receiving this mail because:
You are on the CC list for the bug.