You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Damien Diederen (Jira)" <ji...@apache.org> on 2021/03/07 08:44:00 UTC
[jira] [Updated] (ZOOKEEPER-4233) dependency-check:check failing -
Jetty 9.4.35.v20201120 - CVE-2020-27223
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Damien Diederen updated ZOOKEEPER-4233:
---------------------------------------
Labels: owasp server (was: )
> dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223
> ------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4233
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4233
> Project: ZooKeeper
> Issue Type: Task
> Affects Versions: 3.5.9, 3.7.0, 3.6.2, 3.8.0
> Reporter: Damien Diederen
> Assignee: Damien Diederen
> Priority: Blocker
> Labels: owasp, server
>
> What do you know—I encountered a Jetty vulnerability while trying to prepare a new 3.7.0 RC:
> {noformat}
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223
> [ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223
> {noformat}
> [CVE-2020-27223|https://nvd.nist.gov/vuln/detail/CVE-2020-27223] describes it as:
> {quote}
> In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
> {quote}
> This may not be the end of the world wrt. ZooKeeper, but it doesn't look good in a fresh release.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)