Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4233

dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

      Description

      What do you know—I encountered a Jetty vulnerability while trying to prepare a new 3.7.0 RC:

      [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: 
      [ERROR] 
      [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
      [ERROR] 
      [ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223
      [ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223
      

      CVE-2020-27223 describes it as:

      In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

      This may not be the end of the world wrt. ZooKeeper, but it doesn't look good in a fresh release.

        Attachments

          Activity

            People

            • Assignee:
              ztzg Damien Diederen
              Reporter:
              ztzg Damien Diederen

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h 50m
                2h 50m

                  Issue deployment