https://bugzilla.redhat.com/show_bug.cgi?id=1696062
Bug ID: 1696062 Summary: CVE-2018-12545 jetty: large settings frames causing denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190320,reported=20190328,sour ce=cve,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/ I:L/A:L,cwe=CWE-400,fedora-all/jetty=affected,rhel-6/j etty-eclipse=notaffected,rhel-7/jetty=new,fuse-6/jetty =affected,fuse-7/jetty=affected,rhn_satellite_5/jetty= affected,rhscl-3/rh-java-common-jetty=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: bkearney@redhat.com, chazlett@redhat.com, decathorpe@gmail.com, eclipse-sig@lists.fedoraproject.org, ggainey@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jjohnstn@redhat.com, jorton@redhat.com, krzysztof.daniel@gmail.com, mizdebsk@redhat.com, sochotni@redhat.com, stewardship-sig@lists.fedoraproject.org, tlestach@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings
Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096