You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Manikumar (Jira)" <ji...@apache.org> on 2021/03/03 04:50:00 UTC

[jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223

     [ https://issues.apache.org/jira/browse/KAFKA-12400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Manikumar resolved KAFKA-12400.
-------------------------------
    Resolution: Fixed

Issue resolved by pull request 10245
[https://github.com/apache/kafka/pull/10245]

> Upgrade jetty to fix CVE-2020-27223
> -----------------------------------
>
>                 Key: KAFKA-12400
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12400
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: Dongjin Lee
>            Assignee: Dongjin Lee
>            Priority: Major
>             Fix For: 2.7.1, 2.6.2, 2.8.0
>
>
> h3. CVE-2020-27223 Detail
> In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)