First published: Mon Oct 14 2024(Updated: )
### Impact Remote DOS attack can cause out of memory ### Description There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. ### Affected Versions * Jetty 12.0.0-12.0.8 (Supported) * Jetty 11.0.0-11.0.23 (EOL) * Jetty 10.0.0-10.0.23 (EOL) * Jetty 9.3.12-9.4.55 (EOL) ### Patched Versions * Jetty 12.0.9 * Jetty 11.0.24 * Jetty 10.0.24 * Jetty 9.4.56 ### Workarounds Do not use `ThreadLimitHandler`. Consider use of `QoSHandler` instead to artificially limit resource utilization. ### References Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.eclipse.jetty:jetty-server | >=9.3.12<=9.4.55 | 9.4.56 |
maven/org.eclipse.jetty:jetty-server | >=11.0.0<=11.0.23 | 11.0.24 |
maven/org.eclipse.jetty:jetty-server | >=10.0.0<=10.0.23 | 10.0.24 |
maven/org.eclipse.jetty:jetty-server | >=12.0.0<=12.0.8 | 12.0.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.