You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "WCM RnD (Jira)" <ji...@apache.org> on 2021/04/07 12:15:00 UTC
[jira] [Created] (SOLR-15325) High security vulnerability in Jetty
library bundled within Solr - CVE-2020-27223 (+1)
WCM RnD created SOLR-15325:
------------------------------
Summary: High security vulnerability in Jetty library bundled within Solr - CVE-2020-27223 (+1)
Key: SOLR-15325
URL: https://issues.apache.org/jira/browse/SOLR-15325
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 8.8.1
Reporter: WCM RnD
High security vulnerability ahs been reported in the Jetty jar bundled within Solr:
*Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server - CVE-2020-27223 (+1)*
h1. Vulnerability Details
h2. CVE-2020-27223
*Vulnerability Details in BlackDuck:* see [CVE-2020-27223|https://blackduck.opentext.net/api/vulnerabilities/CVE-2020-27223]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-02-26 17:15 EST
*Vulnerability Updated:* 2021-03-05 16:25 EST
*CVSS Score:* 7.5 (overall), 7.5 (base)
*Summary*: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
*Solution*: N/A
*Workaround*: N/A
h2. BDSA-2020-4221
*Vulnerability Details in BlackDuck:* see [BDSA-2020-4221|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2020-4221]
*Affected Component(s):* Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
*Vulnerability Published:* 2021-03-01 06:37 EST
*Vulnerability Updated:* 2021-03-01 06:37 EST
*CVSS Score:* 4.6 (overall), 5.3 (base)
*Summary*: Jetty is vulnerable to denial-of-service (DoS) due to the use of an exponential algorithm that can have excessive resource requirements. A remote attacker could cause a vulnerable server to become unresponsive by sending maliciously crafted HTTP requests to that server.
*Solution*: Fixed by [this|https://github.com/eclipse/jetty.project/commit/10e531756b972162eed402c44d0244f7f6b85131] commit in:
* [*11.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.1]
* [*10.0.1*|https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.1]
* [*9.4.37.v20210219*|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]
Jetty library needs to be updated to *[9.4.37.v20210219|https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219]* or above. **
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org