[ZOOKEEPER-4233] dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.5.9, 3.7.0, 3.6.2, 3.8.0
Fix Version/s: 3.5.10, 3.6.3, 3.7.0, 3.8.0
Component/s: server
Labels:
- owasp
- pull-request-available

Description

What do you know—I encountered a Jetty vulnerability while trying to prepare a new 3.7.0 RC:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223
[ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223

CVE-2020-27223 describes it as:

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

This may not be the end of the world wrt. ZooKeeper, but it doesn't look good in a fresh release.

Attachments

Issue Links

links to

GitHub Pull Request #1623

GitHub Pull Request #1624

GitHub Pull Request #1625

Activity

People

Assignee:: Damien Diederen

Reporter:: Damien Diederen

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Mar/21 08:43

Updated:: 28/Mar/21 08:54

Resolved:: 10/Mar/21 05:22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 50m