Vulnerability CVE-2018-12545 - CERT Civis.Net

Vulnerability Name:

CVE-2018-12545 (CCN-161491)

Assigned:

2018-06-18

Published:

2019-03-27

Updated:

2020-10-23

Summary:

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-12545

Source: CCN
Type: IBM Security Bulletin 958555 (Netcool Agile Service Manager)
IBM Netcool Agile Service Manager is affected by a Jetty vulnerability (CVE-2018-12545)

Source: CCN
Type: Bugzilla Bug 538096
(CVE-2018-12545) - Jetty: CVE Request: Potential for Denial of Service with HTTP2/SETTING frames

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096

Source: CCN
Type: Red Hat Bugzilla Bug 1696062
(CVE-2018-12545) - CVE-2018-12545 jetty: large settings frames causing denial of service

Source: XF
Type: UNKNOWN
jetty-cve201812545-dos(161491)

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[accumulo-commits] 20190404 [accumulo] branch master updated: Update jetty to latest (CVE-2018-12545)

Source: MLIST
Type: Mailing List, Third Party Advisory
[infra-devnull] 20190402 [GitHub] [accumulo] milleruntime opened pull request #1072: Upgrade jetty to fix CVE

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[accumulo-notifications] 20190402 [GitHub] [accumulo] milleruntime opened a new pull request #1072: Upgrade jetty to fix CVE

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1

Source: FEDORA
Type: Mailing List, Release Notes, Third Party Advisory
FEDORA-2019-d9f867cb65

Source: CCN
Type: Eclipse Web site
Jetty - Servlet Engine and Http Server

Source: CCN
Type: IBM Security Bulletin 964602 (Rational Functional Tester)
Vulnerability in Eclipse Jetty affecting Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 1077195 (Connect:Direct Web Services)
Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2019-10246, CVE-2019-10247, CVE-2019-10241 & CVE-2018-12545)

Source: CCN
Type: IBM Security Bulletin 6208027 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator (CVE-2018-12545, CVE-2019-10241)

Source: CCN
Type: IBM Security Bulletin 6344071 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6466729 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6586692 (Process Mining)
IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005933 (Storage Protect)
IBM Storage Protect is vulnerable to multiple attacks due to http2-server and http2-common

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-12545

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:9.3.0:20150601:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:20150608:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:maintenance0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:maintenance1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.1:20150714:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.2:20150730:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.3:20150825:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.3:20150827:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.4:20151005:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.4:20151007:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.5:20151012:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.6:20151106:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.7:20160115:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.8:20160311:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.9:20160517:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.9:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.9:maintenance_1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.10:20160621:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.10:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.11:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.12:20160915:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.13:20161014:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.13:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.14:20161028:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.15:20161220:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.16:20170119:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.16:20170120:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.17:20170317:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.17:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.18:20170406:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.19:20170502:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.20:20170531:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.21:20170918:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.21:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.21:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.22:20171030:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.23:20180228:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:*

Configuration 2:

cpe:/o:fedoraproject:fedora:28:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.3.25:20180904:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*

AND

cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.2.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:netcool_agile_service_manager:1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201812545000	V	CVE-2018-12545 on Ubuntu 18.04 LTS (bionic) - untriaged.	2019-03-27
oval:com.ubuntu.cosmic:def:2018125450000000	V	CVE-2018-12545 on Ubuntu 18.10 (cosmic) - untriaged.	2019-03-27
oval:com.ubuntu.cosmic:def:201812545000	V	CVE-2018-12545 on Ubuntu 18.10 (cosmic) - untriaged.	2019-03-27
oval:com.ubuntu.bionic:def:2018125450000000	V	CVE-2018-12545 on Ubuntu 18.04 LTS (bionic) - untriaged.	2019-03-27
oval:com.ubuntu.trusty:def:201812545000	V	CVE-2018-12545 on Ubuntu 14.04 LTS (trusty) - untriaged.	2019-03-27
oval:com.ubuntu.xenial:def:2018125450000000	V	CVE-2018-12545 on Ubuntu 16.04 LTS (xenial) - untriaged.	2019-03-27
oval:com.ubuntu.xenial:def:201812545000	V	CVE-2018-12545 on Ubuntu 16.04 LTS (xenial) - untriaged.	2019-03-27