CVE-2018-12545
First published: Wed Mar 27 2019(Updated: )
Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| Eclipse Jetty | =9.3.0-20150601 | |
| Eclipse Jetty | =9.3.0-20150608 | |
| Eclipse Jetty | =9.3.0-20150612 | |
| Eclipse Jetty | =9.3.0-maintenance0 | |
| Eclipse Jetty | =9.3.0-maintenance1 | |
| Eclipse Jetty | =9.3.0-maintenance2 | |
| Eclipse Jetty | =9.3.0-rc0 | |
| Eclipse Jetty | =9.3.0-rc1 | |
| Eclipse Jetty | =9.3.1-20150714 | |
| Eclipse Jetty | =9.3.2-20150730 | |
| Eclipse Jetty | =9.3.3-20150825 | |
| Eclipse Jetty | =9.3.3-20150827 | |
| Eclipse Jetty | =9.3.4-20151005 | |
| Eclipse Jetty | =9.3.4-20151007 | |
| Eclipse Jetty | =9.3.4-rc0 | |
| Eclipse Jetty | =9.3.4-rc1 | |
| Eclipse Jetty | =9.3.5-20151012 | |
| Eclipse Jetty | =9.3.6-20151106 | |
| Eclipse Jetty | =9.3.7-20160115 | |
| Eclipse Jetty | =9.3.7-rc0 | |
| Eclipse Jetty | =9.3.7-rc1 | |
| Eclipse Jetty | =9.3.8-20160311 | |
| Eclipse Jetty | =9.3.8-20160314 | |
| Eclipse Jetty | =9.3.8-rc0 | |
| Eclipse Jetty | =9.3.9-20160517 | |
| Eclipse Jetty | =9.3.9-maintenance_0 | |
| Eclipse Jetty | =9.3.9-maintenance_1 | |
| Eclipse Jetty | =9.3.10-20160621 | |
| Eclipse Jetty | =9.3.10-maintenance_0 | |
| Eclipse Jetty | =9.3.11-20160721 | |
| Eclipse Jetty | =9.3.11-maintenance_0 | |
| Eclipse Jetty | =9.3.12-20160915 | |
| Eclipse Jetty | =9.3.13-20161014 | |
| Eclipse Jetty | =9.3.13-maintenance_0 | |
| Eclipse Jetty | =9.3.14-20161028 | |
| Eclipse Jetty | =9.3.15-20161220 | |
| Eclipse Jetty | =9.3.16-20170119 | |
| Eclipse Jetty | =9.3.16-20170120 | |
| Eclipse Jetty | =9.3.17-20170317 | |
| Eclipse Jetty | =9.3.17-rc0 | |
| Eclipse Jetty | =9.3.18-20170406 | |
| Eclipse Jetty | =9.3.19-20170502 | |
| Eclipse Jetty | =9.3.20-20170531 | |
| Eclipse Jetty | =9.3.21-20170918 | |
| Eclipse Jetty | =9.3.21-maintenance_0 | |
| Eclipse Jetty | =9.3.21-rc0 | |
| Eclipse Jetty | =9.3.22-20171030 | |
| Eclipse Jetty | =9.3.23-20180228 | |
| Eclipse Jetty | =9.3.24-20180605 | |
| Eclipse Jetty | =9.4.0-20161207 | |
| Eclipse Jetty | =9.4.0-20161208 | |
| Eclipse Jetty | =9.4.0-20180619 | |
| Eclipse Jetty | =9.4.0-maintenance_0 | |
| Eclipse Jetty | =9.4.0-maintenance_1 | |
| Eclipse Jetty | =9.4.0-rc0 | |
| Eclipse Jetty | =9.4.0-rc1 | |
| Eclipse Jetty | =9.4.0-rc2 | |
| Eclipse Jetty | =9.4.0-rc3 | |
| Eclipse Jetty | =9.4.1-20170120 | |
| Eclipse Jetty | =9.4.1-20180619 | |
| Eclipse Jetty | =9.4.2-20170220 | |
| Eclipse Jetty | =9.4.2-20180619 | |
| Eclipse Jetty | =9.4.3-20170317 | |
| Eclipse Jetty | =9.4.3-20180619 | |
| Eclipse Jetty | =9.4.4-20170410 | |
| Eclipse Jetty | =9.4.4-20170414 | |
| Eclipse Jetty | =9.4.4-20180619 | |
| Eclipse Jetty | =9.4.5-20170502 | |
| Eclipse Jetty | =9.4.5-20180619 | |
| Eclipse Jetty | =9.4.6-20170531 | |
| Eclipse Jetty | =9.4.6-20180619 | |
| Eclipse Jetty | =9.4.7-20170914 | |
| Eclipse Jetty | =9.4.7-20180619 | |
| Eclipse Jetty | =9.4.7-rc0 | |
| Eclipse Jetty | =9.4.8-20171121 | |
| Eclipse Jetty | =9.4.8-20180619 | |
| Eclipse Jetty | =9.4.9-20180320 | |
| Eclipse Jetty | =9.4.10-20180503 | |
| Eclipse Jetty | =9.4.10-rc0 | |
| Eclipse Jetty | =9.4.10-rc1 | |
| Eclipse Jetty | =9.4.11-20180605 | |
| Eclipse Jetty | =9.4.12-rc0 | |
| Eclipse Jetty | =9.4.12-rc1 | |
| Eclipse Jetty | =9.4.12-rc2 | |
| Fedora | =28 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
- https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606%40%3Cdevnull.infra.apache.org%3E
- https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79%40%3Cnotifications.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2%40%3Ccommits.accumulo.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6/
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2018-12545?
The severity of CVE-2018-12545 is considered high due to its potential to cause denial of service.
How do I fix CVE-2018-12545?
To fix CVE-2018-12545, upgrade to a version of Eclipse Jetty that includes the patch for this vulnerability.
What versions of Eclipse Jetty are affected by CVE-2018-12545?
CVE-2018-12545 affects multiple versions of Eclipse Jetty, including specific releases from 9.3.0 to 9.4.x.
What kind of attacks can exploit CVE-2018-12545?
CVE-2018-12545 can be exploited by sending large or numerous SETTINGs frames, leading to excessive CPU and memory usage.
Is there a workaround for CVE-2018-12545?
There are no confirmed workarounds for CVE-2018-12545; applying the patch is the recommended solution.
- agent/weakness
- agent/type
- agent/remedy
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.3.0-20150601
- version/eclipse jetty/9.3.0-20150608
- version/eclipse jetty/9.3.0-20150612
- version/eclipse jetty/9.3.0-maintenance0
- version/eclipse jetty/9.3.0-maintenance1
- version/eclipse jetty/9.3.0-maintenance2
- version/eclipse jetty/9.3.0-rc0
- version/eclipse jetty/9.3.0-rc1
- version/eclipse jetty/9.3.1-20150714
- version/eclipse jetty/9.3.2-20150730
- version/eclipse jetty/9.3.3-20150825
- version/eclipse jetty/9.3.3-20150827
- version/eclipse jetty/9.3.4-20151005
- version/eclipse jetty/9.3.4-20151007
- version/eclipse jetty/9.3.4-rc0
- version/eclipse jetty/9.3.4-rc1
- version/eclipse jetty/9.3.5-20151012
- version/eclipse jetty/9.3.6-20151106
- version/eclipse jetty/9.3.7-20160115
- version/eclipse jetty/9.3.7-rc0
- version/eclipse jetty/9.3.7-rc1
- version/eclipse jetty/9.3.8-20160311
- version/eclipse jetty/9.3.8-20160314
- version/eclipse jetty/9.3.8-rc0
- version/eclipse jetty/9.3.9-20160517
- version/eclipse jetty/9.3.9-maintenance_0
- version/eclipse jetty/9.3.9-maintenance_1
- version/eclipse jetty/9.3.10-20160621
- version/eclipse jetty/9.3.10-maintenance_0
- version/eclipse jetty/9.3.11-20160721
- version/eclipse jetty/9.3.11-maintenance_0
- version/eclipse jetty/9.3.12-20160915
- version/eclipse jetty/9.3.13-20161014
- version/eclipse jetty/9.3.13-maintenance_0
- version/eclipse jetty/9.3.14-20161028
- version/eclipse jetty/9.3.15-20161220
- version/eclipse jetty/9.3.16-20170119
- version/eclipse jetty/9.3.16-20170120
- version/eclipse jetty/9.3.17-20170317
- version/eclipse jetty/9.3.17-rc0
- version/eclipse jetty/9.3.18-20170406
- version/eclipse jetty/9.3.19-20170502
- version/eclipse jetty/9.3.20-20170531
- version/eclipse jetty/9.3.21-20170918
- version/eclipse jetty/9.3.21-maintenance_0
- version/eclipse jetty/9.3.21-rc0
- version/eclipse jetty/9.3.22-20171030
- version/eclipse jetty/9.3.23-20180228
- version/eclipse jetty/9.3.24-20180605
- version/eclipse jetty/9.4.0-20161207
- version/eclipse jetty/9.4.0-20161208
- version/eclipse jetty/9.4.0-20180619
- version/eclipse jetty/9.4.0-maintenance_0
- version/eclipse jetty/9.4.0-maintenance_1
- version/eclipse jetty/9.4.0-rc0
- version/eclipse jetty/9.4.0-rc1
- version/eclipse jetty/9.4.0-rc2
- version/eclipse jetty/9.4.0-rc3
- version/eclipse jetty/9.4.1-20170120
- version/eclipse jetty/9.4.1-20180619
- version/eclipse jetty/9.4.2-20170220
- version/eclipse jetty/9.4.2-20180619
- version/eclipse jetty/9.4.3-20170317
- version/eclipse jetty/9.4.3-20180619
- version/eclipse jetty/9.4.4-20170410
- version/eclipse jetty/9.4.4-20170414
- version/eclipse jetty/9.4.4-20180619
- version/eclipse jetty/9.4.5-20170502
- version/eclipse jetty/9.4.5-20180619
- version/eclipse jetty/9.4.6-20170531
- version/eclipse jetty/9.4.6-20180619
- version/eclipse jetty/9.4.7-20170914
- version/eclipse jetty/9.4.7-20180619
- version/eclipse jetty/9.4.7-rc0
- version/eclipse jetty/9.4.8-20171121
- version/eclipse jetty/9.4.8-20180619
- version/eclipse jetty/9.4.9-20180320
- version/eclipse jetty/9.4.10-20180503
- version/eclipse jetty/9.4.10-rc0
- version/eclipse jetty/9.4.10-rc1
- version/eclipse jetty/9.4.11-20180605
- version/eclipse jetty/9.4.12-rc0
- version/eclipse jetty/9.4.12-rc1
- version/eclipse jetty/9.4.12-rc2
- vendor/fedoraproject
- canonical/fedora
- version/fedora/28