CVE-2021-28165

First published: Thu Apr 01 2021(Updated: )

### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException("Encrypted buffer max length exceeded"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml <Call name="addIfAbsentConnectionFactory"> <Arg> <New class="org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory"> <Arg name="next">http/1.1</Arg> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg> </New> </Arg> </Call> ``` + Restart Jetty

Credit: emo@eclipse.org emo@eclipse.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-26vr-8j45-3r4w
• alias/CVE-2021-28165
• collector/github-advisory
• collector/redhat-cve
• collector/ibm-support
• collector/security-tracker-debian
• agent/author
• agent/type
• agent/first-publish-date
• agent/last-modified-date
• agent/remedy
• collector/redhat-bugzilla
• source/Red Hat
• agent/software-canonical-lookup
• agent/severity
• agent/references
• agent/weakness
• agent/event
• agent/description
• agent/softwarecombine
• agent/tags
• collector/nvd-cve
• agent/software-canonical-lookup-request
• collector/nvd-index
• package-manager/maven
• package-manager/redhat
• vendor/ibm
• canonical/ibm cognos command center
• version/ibm cognos command center/10.2.4.1
• package-manager/debian
• vendor/eclipse
• canonical/eclipse jetty
• version/eclipse jetty/7.2.2
• version/eclipse jetty/10.0.0
• version/eclipse jetty/11.0.0
• vendor/oracle
• canonical/oracle autovue for agile product lifecycle management
• version/oracle autovue for agile product lifecycle management/21.0.2
• canonical/oracle communications cloud native core policy
• version/oracle communications cloud native core policy/1.14.0
• canonical/oracle communications element manager
• version/oracle communications element manager/8.2.2
• canonical/oracle communications services gatekeeper
• version/oracle communications services gatekeeper/7.0
• canonical/oracle communications session report manager
• version/oracle communications session report manager/8.0.0.0
• version/oracle communications session report manager/8.2.4.0
• canonical/oracle communications session route manager
• version/oracle communications session route manager/8.0.0.0
• version/oracle communications session route manager/8.2.4.0
• canonical/oracle rest data services
• canonical/oracle siebel core - automation
• version/oracle siebel core - automation/21.9
• vendor/jenkins
• canonical/jenkins jenkins
• vendor/netapp
• canonical/netapp cloud manager
• canonical/netapp e-series performance analyzer
• canonical/netapp e-series santricity os controller
• version/netapp e-series santricity os controller/11.0.0
• canonical/netapp e-series santricity storage vcenter
• canonical/netapp e-series santricity web services web services proxy
• canonical/netapp ontap tools vmware vsphere
• canonical/netapp santricity cloud connector
• canonical/netapp santricity web services proxy
• canonical/netapp snapcenter
• canonical/netapp storage replication adapter for clustered data ontap vmware vsphere
• canonical/netapp vasa provider for clustered data ontap