[GHSA-h2f4-v4c4-6wx4] Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server

[Meet003118]

Updates

• Affected products
• References

Comments
Two updates are made:

1. Removed patched version for 9.3.x version range:

The CVE describes two attack vectors - a single large SETTINGS frame with many keys, and many small SETTINGS frames.

The fix can be traced to commit: jetty/jetty.project@9eca404 and PR: jetty/jetty.project#2723 - Improve configurability for SETTINGS frames, which :

• Introduces DEFAULT_MAX_KEYS = 64 in SettingsFrame.java
• Adds a running keys counter in SettingsBodyParser.java that is NOT reset between frames (covering both attack vectors)
• Includes two explicit tests:testGenerateParseTooManySettingsInOneFrame and testGenerateParseTooManySettingsInMultipleFrames that directly validate both CVE attack scenarios

This was also independently confirmed in a bugzilla report : https://bugzilla.redhat.com/show_bug.cgi?id=1696062#c3

Commit 9eca404 was only merged into the 9.4.x branch and shipped in version 9.4.12.RC1. It was never backported to 9.3.x. This can be verified by inspecting SettingsBodyParser.java directly on the 9.3.x branch - the maxKeys guard and DEFAULT_MAX_KEYS constant are both absent across all 9.3.x versions including 9.3.25.v20180904.

The 9.3.x patched version stated in the advisory is therefore incorrect.

2. Updated affected package based on correct fix commit:

The vulnerable and patched code resides in org.eclipse.jetty.http2:http2-common (SettingsBodyParser.java), not in GA : org.eclipse.jetty:jetty-server, jetty-server contains no HTTP/2 frame parsing logic.

[JonathanLEvans]

🤔 We seem to have taken the fixed versions from this comment. jetty/jetty.project#2722 (which jetty/jetty.project#2723 fixes) says it is addressing CVE-2019-9515, though the vulnerabilities seem related. I will take a closer look.