This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:MISC:CVE-2018-12545-DOS
|
Severity |
Minor
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Eclipse Jetty HTTP2 SETTINGS Frames Resource Exhaustion Denial Of Service
|
Release Date |
2019/06/04
|
Update Number |
3177
|
Supported Platforms |
srx-17.3+, srx-branch-17.4+, vsrx-15.1+, vsrx3bsd-18.2+
|
HTTP: Eclipse Jetty HTTP2 SETTINGS Frames Resource Exhaustion Denial Of Service
This signature detects attempts to exploit a known vulnerability against Eclipse Jetty. A successful attack can result in a denial-of-service condition.
Extended Description
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
Affected Products
- Eclipse jetty 9.3.0
- Eclipse jetty 9.3.1
- Eclipse jetty 9.3.10
- Eclipse jetty 9.3.11
- Eclipse jetty 9.3.12
- Eclipse jetty 9.3.13
- Eclipse jetty 9.3.14
- Eclipse jetty 9.3.15
- Eclipse jetty 9.3.16
- Eclipse jetty 9.3.17
- Eclipse jetty 9.3.18
- Eclipse jetty 9.3.19
- Eclipse jetty 9.3.2
- Eclipse jetty 9.3.20
- Eclipse jetty 9.3.21
- Eclipse jetty 9.3.22
- Eclipse jetty 9.3.23
- Eclipse jetty 9.3.24
- Eclipse jetty 9.3.3
- Eclipse jetty 9.3.4
- Eclipse jetty 9.3.5
- Eclipse jetty 9.3.6
- Eclipse jetty 9.3.7
- Eclipse jetty 9.3.8
- Eclipse jetty 9.3.9
- Eclipse jetty 9.4.0
- Eclipse jetty 9.4.1
- Eclipse jetty 9.4.10
- Eclipse jetty 9.4.11
- Eclipse jetty 9.4.12
- Eclipse jetty 9.4.2
- Eclipse jetty 9.4.3
- Eclipse jetty 9.4.4
- Eclipse jetty 9.4.5
- Eclipse jetty 9.4.6
- Eclipse jetty 9.4.7
- Eclipse jetty 9.4.8
- Eclipse jetty 9.4.9
- Fedoraproject fedora 28
References