Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
8.8.1
-
None
-
None
-
None
Description
High security vulnerability ahs been reported in the Jetty jar bundled within Solr:
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server - CVE-2020-27223 (+1)
Vulnerability Details
CVE-2020-27223
Affected Component(s): Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
Vulnerability Published: 2021-02-26 17:15 EST
Vulnerability Updated: 2021-03-05 16:25 EST
CVSS Score: 7.5 (overall), 7.5 (base)
Summary: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Solution: N/A
Workaround: N/A
BDSA-2020-4221
Affected Component(s): Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
Vulnerability Published: 2021-03-01 06:37 EST
Vulnerability Updated: 2021-03-01 06:37 EST
CVSS Score: 4.6 (overall), 5.3 (base)
Summary: Jetty is vulnerable to denial-of-service (DoS) due to the use of an exponential algorithm that can have excessive resource requirements. A remote attacker could cause a vulnerable server to become unresponsive by sending maliciously crafted HTTP requests to that server.
Solution: Fixed by this commit in:
Jetty library needs to be updated to 9.4.37.v20210219 or above. **
Attachments
Issue Links
- is fixed by
-
SOLR-15316 Update Jetty to 9.4.41
- Closed