high
7.5
CWE
770 400
Advisory Published
Updated

CVE-2018-12545

First published: Wed Mar 27 2019(Updated: )

Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.

Credit: emo@eclipse.org

Affected SoftwareAffected VersionHow to fix
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP3
Mortbay Jetty=9.3.0-20150601
Mortbay Jetty=9.3.0-20150608
Mortbay Jetty=9.3.0-20150612
Mortbay Jetty=9.3.0-maintenance0
Mortbay Jetty=9.3.0-maintenance1
Mortbay Jetty=9.3.0-maintenance2
Mortbay Jetty=9.3.0-rc0
Mortbay Jetty=9.3.0-rc1
Mortbay Jetty=9.3.1-20150714
Mortbay Jetty=9.3.2-20150730
Mortbay Jetty=9.3.3-20150825
Mortbay Jetty=9.3.3-20150827
Mortbay Jetty=9.3.4-20151005
Mortbay Jetty=9.3.4-20151007
Mortbay Jetty=9.3.4-rc0
Mortbay Jetty=9.3.4-rc1
Mortbay Jetty=9.3.5-20151012
Mortbay Jetty=9.3.6-20151106
Mortbay Jetty=9.3.7-20160115
Mortbay Jetty=9.3.7-rc0
Mortbay Jetty=9.3.7-rc1
Mortbay Jetty=9.3.8-20160311
Mortbay Jetty=9.3.8-20160314
Mortbay Jetty=9.3.8-rc0
Mortbay Jetty=9.3.9-20160517
Mortbay Jetty=9.3.9-maintenance_0
Mortbay Jetty=9.3.9-maintenance_1
Mortbay Jetty=9.3.10-20160621
Mortbay Jetty=9.3.10-maintenance_0
Mortbay Jetty=9.3.11-20160721
Mortbay Jetty=9.3.11-maintenance_0
Mortbay Jetty=9.3.12-20160915
Mortbay Jetty=9.3.13-20161014
Mortbay Jetty=9.3.13-maintenance_0
Mortbay Jetty=9.3.14-20161028
Mortbay Jetty=9.3.15-20161220
Mortbay Jetty=9.3.16-20170119
Mortbay Jetty=9.3.16-20170120
Mortbay Jetty=9.3.17-20170317
Mortbay Jetty=9.3.17-rc0
Mortbay Jetty=9.3.18-20170406
Mortbay Jetty=9.3.19-20170502
Mortbay Jetty=9.3.20-20170531
Mortbay Jetty=9.3.21-20170918
Mortbay Jetty=9.3.21-maintenance_0
Mortbay Jetty=9.3.21-rc0
Mortbay Jetty=9.3.22-20171030
Mortbay Jetty=9.3.23-20180228
Mortbay Jetty=9.3.24-20180605
Mortbay Jetty=9.4.0-20161207
Mortbay Jetty=9.4.0-20161208
Mortbay Jetty=9.4.0-20180619
Mortbay Jetty=9.4.0-maintenance_0
Mortbay Jetty=9.4.0-maintenance_1
Mortbay Jetty=9.4.0-rc0
Mortbay Jetty=9.4.0-rc1
Mortbay Jetty=9.4.0-rc2
Mortbay Jetty=9.4.0-rc3
Mortbay Jetty=9.4.1-20170120
Mortbay Jetty=9.4.1-20180619
Mortbay Jetty=9.4.2-20170220
Mortbay Jetty=9.4.2-20180619
Mortbay Jetty=9.4.3-20170317
Mortbay Jetty=9.4.3-20180619
Mortbay Jetty=9.4.4-20170410
Mortbay Jetty=9.4.4-20170414
Mortbay Jetty=9.4.4-20180619
Mortbay Jetty=9.4.5-20170502
Mortbay Jetty=9.4.5-20180619
Mortbay Jetty=9.4.6-20170531
Mortbay Jetty=9.4.6-20180619
Mortbay Jetty=9.4.7-20170914
Mortbay Jetty=9.4.7-20180619
Mortbay Jetty=9.4.7-rc0
Mortbay Jetty=9.4.8-20171121
Mortbay Jetty=9.4.8-20180619
Mortbay Jetty=9.4.9-20180320
Mortbay Jetty=9.4.10-20180503
Mortbay Jetty=9.4.10-rc0
Mortbay Jetty=9.4.10-rc1
Mortbay Jetty=9.4.11-20180605
Mortbay Jetty=9.4.12-rc0
Mortbay Jetty=9.4.12-rc1
Mortbay Jetty=9.4.12-rc2
Red Hat Fedora=28

Remedy

https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2018-12545?

    The severity of CVE-2018-12545 is considered high due to its potential to cause denial of service.

  • How do I fix CVE-2018-12545?

    To fix CVE-2018-12545, upgrade to a version of Eclipse Jetty that includes the patch for this vulnerability.

  • What versions of Eclipse Jetty are affected by CVE-2018-12545?

    CVE-2018-12545 affects multiple versions of Eclipse Jetty, including specific releases from 9.3.0 to 9.4.x.

  • What kind of attacks can exploit CVE-2018-12545?

    CVE-2018-12545 can be exploited by sending large or numerous SETTINGs frames, leading to excessive CPU and memory usage.

  • Is there a workaround for CVE-2018-12545?

    There are no confirmed workarounds for CVE-2018-12545; applying the patch is the recommended solution.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203