High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

High security vulnerability ahs been reported in the Jetty jar bundled within Solr:

BDSA-2021-0848

Affected Component(s): Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server, Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
Vulnerability Published: 2021-04-02 06:29 EDT
Vulnerability Updated: 2021-04-02 06:29 EDT
CVSS Score: 6.7 (overall), 7.5 (base)

Summary: Eclipse Jetty is vulnerable to Denial-of-Service (DoS) via invalid TLS frames. An attacker could exploit this by sending a TLS frame with a size in excess of 17408 resulting in excessive resource consumption leading to a DoS condition.

Solution: Fixed in 10.0.2 and 11.0.2 by this and this commit. Fixed in 9.4.39.v20210325 by this and this commit.

BDSA-2021-0849

Affected Component(s): Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
Vulnerability Published: 2021-04-02 06:55 EDT
Vulnerability Updated: 2021-04-02 06:55 EDT
CVSS Score: 4.6 (overall), 5.3 (base)

Summary: Eclipse Jetty is vulnerable to sensitive data exposure via default compliance mode. An attacker could exploit this by using a URL containing %2e or %2e%2e segments. These were improperly allowed to access protected resources in the WEB-INF directory.

Solution: Fixed in 9.4.39.v20210325 by this commit.

BDSA-2021-0850

Affected Component(s): Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server
Vulnerability Published: 2021-04-02 09:09 EDT
Vulnerability Updated: 2021-04-02 09:09 EDT
CVSS Score: 2.4 (overall), 2.7 (base)

Summary: Eclipse Jetty is vulnerable to sensitive data exposure via symlink directory. A high privileged attacker could exploit this in order to view the contents of a symlink webapp directory.

CVE-2021-28163

Vulnerability Published: 2021-04-01 11:15 EDT
Vulnerability Updated: 2021-04-01 11:30 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

Summary: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVE-2021-28164

Vulnerability Published: 2021-04-01 11:15 EDT
Vulnerability Updated: 2021-04-01 11:30 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

Summary: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVE-2021-28165

Vulnerability Published: 2021-04-01 11:15 EDT
Vulnerability Updated: 2021-04-01 11:30 EDT
CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

Summary: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.