CVE-2024-6762: Jetty PushSessionCacheFilter can cause remote DoS attacks
First published: Mon Oct 14 2024(Updated: )
### Impact Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. ### Patches * https://github.com/jetty/jetty.project/pull/9715 * https://github.com/jetty/jetty.project/pull/9716 ### Workarounds The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by: + not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead. + reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory. + configuring a session cache to use [session passivation](https://jetty.org/docs/jetty/12/programming-guide/server/session.html), so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory. ### References * https://github.com/jetty/jetty.project/pull/10756 * https://github.com/jetty/jetty.project/pull/10755
Credit: emo@eclipse.org emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.eclipse.jetty:jetty-servlets | >=12.0.0<=12.0.3 | 12.0.4 |
| maven/org.eclipse.jetty:jetty-servlets | >=11.0.0<=11.0.17 | 11.0.18 |
| maven/org.eclipse.jetty:jetty-servlets | >=10.0.0<=10.0.17 | 10.0.18 |
| Mortbay Jetty | >=10.0.0<10.0.18 | |
| Mortbay Jetty | >=11.0.0<11.0.18 | |
| Mortbay Jetty | >=12.0.0<12.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/24
- https://github.com/jetty/jetty.project/pull/9715
- https://github.com/jetty/jetty.project/pull/9716
- https://github.com/jetty/jetty.project/pull/10756
- https://github.com/jetty/jetty.project/pull/10755
- https://nvd.nist.gov/vuln/detail/CVE-2024-6762
- https://github.com/advisories/GHSA-r7m4-f9h5-gr79 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-6762?
CVE-2024-6762 is rated as a high severity vulnerability due to its potential to allow unauthenticated users to perform remote denial-of-service attacks by exhausting server memory.
How do I fix CVE-2024-6762?
To remediate CVE-2024-6762, update to Jetty version 12.0.4, 11.0.18, or 10.0.18, as applicable.
What applications are affected by CVE-2024-6762?
CVE-2024-6762 affects Eclipse Jetty versions prior to 12.0.4, 11.0.18, and 10.0.18.
What is the impact of CVE-2024-6762?
The impact of CVE-2024-6762 includes the ability for attackers to launch remote DoS attacks on servers running vulnerable Jetty versions.
Are there any workarounds for CVE-2024-6762?
Currently, implementing the available patches is the primary method for mitigating CVE-2024-6762, and no specific workarounds are detailed in the advisory.
- agent/title
- agent/type
- agent/first-publish-date
- agent/references
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r7m4-f9h5-gr79
- alias/CVE-2024-6762
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/eclipse
- canonical/mortbay jetty
- version/mortbay jetty/10.0.0
- version/mortbay jetty/11.0.0
- version/mortbay jetty/12.0.0