Vulnerability Name: CVE-2018-12545 (CCN-161491) Assigned: 2018-06-18 Published: 2019-03-27 Updated: 2020-10-23 Summary: In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Type: CWE-770 Vulnerability Consequences: Denial of Service References: Source: MITRE Type: CNACVE-2018-12545 Source: CCN Type: IBM Security Bulletin 958555 (Netcool Agile Service Manager)IBM Netcool Agile Service Manager is affected by a Jetty vulnerability (CVE-2018-12545) Source: CCN Type: Bugzilla Bug 538096(CVE-2018-12545) - Jetty: CVE Request: Potential for Denial of Service with HTTP2/SETTING frames Source: CONFIRM Type: Issue Tracking, Vendor Advisoryhttps://bugs.eclipse.org/bugs/show_bug.cgi?id=538096 Source: CCN Type: Red Hat Bugzilla Bug 1696062(CVE-2018-12545) - CVE-2018-12545 jetty: large settings frames causing denial of service Source: XF Type: UNKNOWNjetty-cve201812545-dos(161491) Source: MLIST Type: Mailing List, Patch, Third Party Advisory[accumulo-commits] 20190404 [accumulo] branch master updated: Update jetty to latest (CVE-2018-12545) Source: MLIST Type: Mailing List, Third Party Advisory[infra-devnull] 20190402 [GitHub] [accumulo] milleruntime opened pull request #1072: Upgrade jetty to fix CVE Source: MLIST Type: Mailing List, Third Party Advisory[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities Source: MLIST Type: Mailing List, Third Party Advisory[accumulo-notifications] 20190402 [GitHub] [accumulo] milleruntime opened a new pull request #1072: Upgrade jetty to fix CVE Source: MLIST Type: Mailing List, Third Party Advisory[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 Source: FEDORA Type: Mailing List, Release Notes, Third Party AdvisoryFEDORA-2019-d9f867cb65 Source: CCN Type: Eclipse Web siteJetty - Servlet Engine and Http Server Source: CCN Type: IBM Security Bulletin 964602 (Rational Functional Tester) Vulnerability in Eclipse Jetty affecting Rational Functional Tester Source: CCN Type: IBM Security Bulletin 1077195 (Connect:Direct Web Services)Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2019-10246, CVE-2019-10247, CVE-2019-10241 & CVE-2018-12545) Source: CCN Type: IBM Security Bulletin 6208027 (Sterling B2B Integrator)Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator (CVE-2018-12545, CVE-2019-10241) Source: CCN Type: IBM Security Bulletin 6344071 (QRadar SIEM)IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6466729 (Cognos Analytics)IBM Cognos Analytics has addressed multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6586692 (Process Mining)IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545 Source: CCN Type: IBM Security Bulletin 6983274 (Cognos Command Center)IBM Cognos Command Center is affected by multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 7005933 (Storage Protect)IBM Storage Protect is vulnerable to multiple attacks due to http2-server and http2-common Source: MISC Type: Third Party Advisoryhttps://www.oracle.com/security-alerts/cpuoct2020.html Source: MISC Type: Patch, Third Party Advisoryhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2018-12545 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:9.3.0:20150601:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:20150608:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:maintenance0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:maintenance1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.1:20150714:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.2:20150730:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.3:20150825:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.3:20150827:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.4:20151005:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.4:20151007:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.5:20151012:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.6:20151106:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.7:20160115:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.8:20160311:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.9:20160517:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.9:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.9:maintenance_1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.10:20160621:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.10:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.11:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.12:20160915:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.13:20161014:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.13:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.14:20161028:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.15:20161220:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.16:20170119:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.16:20170120:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.17:20170317:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.17:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.18:20170406:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.19:20170502:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.20:20170531:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.21:20170918:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.21:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.21:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.22:20171030:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.23:20180228:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:* Configuration 2 :cpe:/o:fedoraproject:fedora:28:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.25:20180904:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:* AND cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.1.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.2.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool_agile_service_manager:1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p4:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
eclipse jetty 9.3.0 20150601
eclipse jetty 9.3.0 20150608
eclipse jetty 9.3.0 20150612
eclipse jetty 9.3.0 maintenance0
eclipse jetty 9.3.0 maintenance1
eclipse jetty 9.3.0 maintenance2
eclipse jetty 9.3.0 rc0
eclipse jetty 9.3.0 rc1
eclipse jetty 9.3.1 20150714
eclipse jetty 9.3.2 20150730
eclipse jetty 9.3.3 20150825
eclipse jetty 9.3.3 20150827
eclipse jetty 9.3.4 20151005
eclipse jetty 9.3.4 20151007
eclipse jetty 9.3.4 rc0
eclipse jetty 9.3.4 rc1
eclipse jetty 9.3.5 20151012
eclipse jetty 9.3.6 20151106
eclipse jetty 9.3.7 20160115
eclipse jetty 9.3.7 rc0
eclipse jetty 9.3.7 rc1
eclipse jetty 9.3.8 20160311
eclipse jetty 9.3.8 20160314
eclipse jetty 9.3.8 rc0
eclipse jetty 9.3.9 20160517
eclipse jetty 9.3.9 maintenance_0
eclipse jetty 9.3.9 maintenance_1
eclipse jetty 9.3.10 20160621
eclipse jetty 9.3.10 maintenance_0
eclipse jetty 9.3.11 20160721
eclipse jetty 9.3.11 maintenance_0
eclipse jetty 9.3.12 20160915
eclipse jetty 9.3.13 20161014
eclipse jetty 9.3.13 maintenance_0
eclipse jetty 9.3.14 20161028
eclipse jetty 9.3.15 20161220
eclipse jetty 9.3.16 20170119
eclipse jetty 9.3.16 20170120
eclipse jetty 9.3.17 20170317
eclipse jetty 9.3.17 rc0
eclipse jetty 9.3.18 20170406
eclipse jetty 9.3.19 20170502
eclipse jetty 9.3.20 20170531
eclipse jetty 9.3.21 20170918
eclipse jetty 9.3.21 maintenance_0
eclipse jetty 9.3.21 rc0
eclipse jetty 9.3.22 20171030
eclipse jetty 9.3.23 20180228
eclipse jetty 9.3.24 20180605
eclipse jetty 9.4.0 20161207
eclipse jetty 9.4.0 20161208
eclipse jetty 9.4.0 20180619
eclipse jetty 9.4.0 maintenance_0
eclipse jetty 9.4.0 maintenance_1
eclipse jetty 9.4.0 rc0
eclipse jetty 9.4.0 rc1
eclipse jetty 9.4.0 rc2
eclipse jetty 9.4.0 rc3
eclipse jetty 9.4.1 20170120
eclipse jetty 9.4.1 20180619
eclipse jetty 9.4.2 20170220
eclipse jetty 9.4.2 20180619
eclipse jetty 9.4.3 20170317
eclipse jetty 9.4.3 20180619
eclipse jetty 9.4.4 20170410
eclipse jetty 9.4.4 20170414
eclipse jetty 9.4.4 20180619
eclipse jetty 9.4.5 20170502
eclipse jetty 9.4.5 20180619
eclipse jetty 9.4.6 20170531
eclipse jetty 9.4.6 20180619
eclipse jetty 9.4.7 20170914
eclipse jetty 9.4.7 20180619
eclipse jetty 9.4.7 rc0
eclipse jetty 9.4.8 20171121
eclipse jetty 9.4.8 20180619
eclipse jetty 9.4.9 20180320
eclipse jetty 9.4.10 20180503
eclipse jetty 9.4.10 rc0
eclipse jetty 9.4.10 rc1
eclipse jetty 9.4.11 20180605
eclipse jetty 9.4.12 rc0
eclipse jetty 9.4.12 rc1
eclipse jetty 9.4.12 rc2
fedoraproject fedora 28
eclipse jetty 9.3.8 20160314
eclipse jetty 9.4.5 20180619
eclipse jetty 9.4.0 20180619
eclipse jetty 9.4.8 20180619
eclipse jetty 9.3.0 20150612
eclipse jetty 9.3.26 20190403
eclipse jetty 9.4.16 20190411
eclipse jetty 9.3.25 20180904
eclipse jetty 9.4.15 20190215
ibm cognos analytics 11.0
ibm rational functional tester 9.1.1.1
ibm qradar security information and event manager 7.3.0
ibm sterling b2b integrator 5.2.0.0
ibm cognos command center 10.2.4.1
ibm rational functional tester 9.2.1.1
ibm netcool agile service manager 1.1
ibm cognos analytics 11.1
ibm sterling b2b integrator 6.0.3.1
ibm qradar security information and event manager 7.3.3 p4
ibm qradar security information and event manager 7.4.0
ibm qradar security information and event manager 7.4.1 -