中危 Eclipse Jetty拒绝服务漏洞

CVE编号

CVE-2020-27223

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2021-02-27
漏洞描述
Eclipse Jetty是Eclipse基金会的一个开源的、基于Java的Web服务器和Java Servlet容器。
Eclipse Jetty 9.4.6.v20170531至9.4.36.v20210114 (inclusive)版本、10.0.0和11.0.0版本存在拒绝服务漏洞。该漏洞源于处理某些质量值时CPU使用率过高。攻击者可利用该漏洞导致拒绝服务(DoS)。

受影响系统:
Eclipse Jetty 9.4.6.v20170531<= Version <=9.
Eclipse Jetty 11.0.0
Eclipse Jetty 10.0.0
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
参考链接
https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cac...
https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42c...
https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b...
https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d197...
https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e7856...
https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7...
https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6...
https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264...
https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881...
https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d7...
https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e41...
https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f7537...
https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1c...
https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d...
https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a...
https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d...
https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260...
https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d...
https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a...
https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f65...
https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d696...
https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307...
https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525c...
https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69e...
https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9...
https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f4...
https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c...
https://lists.apache.org/thread.html/r65c714241b9d064a44fec10d60ebf5a37d5ebad...
https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aa...
https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5...
https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb8...
https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086e...
https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9...
https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b5...
https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed25954...
https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f376506520...
https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f3441...
https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460...
https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49...
https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800f...
https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b81...
https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd...
https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd...
https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7...
https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72...
https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d26...
https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f7...
https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc12...
https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2af...
https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef...
https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c4...
https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2...
https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe...
https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d37085207448...
https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede...
https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02...
https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b...
https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b...
https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62...
https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818...
https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b43...
https://security.netapp.com/advisory/ntap-20210401-0005/
https://www.debian.org/security/2021/dsa-4949
https://www.oracle.com/security-alerts/cpuApr2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 eclipse jetty * From
(including)
9.4.7 		Up to
(excluding)
9.4.36
运行在以下环境
应用 eclipse jetty 10.0.0 -
运行在以下环境
应用 eclipse jetty 11.0.0 -
运行在以下环境
应用 eclipse jetty 9.4.36 -
运行在以下环境
应用 eclipse jetty 9.4.6 -
运行在以下环境
系统 debian_10 jetty9 * Up to
(excluding)
9.4.16-0+deb10u1
运行在以下环境
系统 debian_11 jetty9 * Up to
(excluding)
9.4.38-1
运行在以下环境
系统 debian_12 jetty9 * Up to
(excluding)
9.4.38-1
阿里云评分
6.5
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-400 未加控制的资源消耗(资源穷尽)
阿里云安全产品覆盖情况