CVE-2021-28165

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 7.2.2 through 9.4.38 Eclipse Jetty versions 10.0.0.alpha0 through 10.0.1 Eclipse Jetty versions 11.0.0.alpha0 through 11.0.1

Description The issue is related to an uncontrolled resource consumption in Eclipse Jetty, which can cause CPU usage to reach 100% upon receiving a large invalid TLS frame. This can be exploited by a remote attacker to cause a denial of service. The problem occurs when using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, and the server receives an invalid large TLS frame that is incorrectly handled.

Recommendations For Eclipse Jetty versions 7.2.2 through 9.4.38, 10.0.0.alpha0 through 10.0.1, and 11.0.0.alpha0 through 11.0.1, a workaround can be applied by compiling and deploying the SpaceCheckingSslConnectionFactory class, which checks for encrypted buffer max length exceeded and throws an SSLHandshakeException. This class can be deployed by putting the resulting class file into a jar file, making it available to the server, and editing the ssl.mod and jetty-https.xml files to reference the new class. Restart Jetty after applying the changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.