Vulnerability CVE-2020-27223

Vulnerability Name:

CVE-2020-27223 (CCN-197559)

Assigned:

2020-10-19

Published:

2021-02-26

Updated:

2021-09-16

Summary:

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-400

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.7 and < 9.4.36)

OR cpe:/a:eclipse:jetty:9.4.36:-:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.36:20210114:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*

Configuration 2:

cpe:/a:apache:nifi:1.13.0:-:*:*:*:*:*:*

OR cpe:/a:apache:spark:3.1.1:-:*:*:*:*:*:*

Configuration 3:

cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.70.1)

OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*

OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:hci:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*

OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*

OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:apache:solr:8.8.1:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:oracle:rest_data_services:*:*:*:*:-:*:*:* (Version < 20.4.3.050.1904)

Configuration CCN 1:

cpe:/a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.36:20210114:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*

AND

cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_proxy:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.5.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.1.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.2.7.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.0.5.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:7.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_proxy:3.4.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_proxy:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_external_authentication_server:2.4.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_external_authentication_server:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:secure_external_authentication_server:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8024	P	jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3395	P	vsftpd-3.0.2-40.11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94954	P	libmicrohttpd-devel-0.9.57-1.33 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95025	P	jetty-http-9.4.43-3.12.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:102247	P	Security update for xen (Important)	2022-02-04
oval:org.opensuse.security:def:101667	P	Security update for ghostscript (Moderate)	2022-01-17
oval:org.opensuse.security:def:112474	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:4545	P	Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP5) (Important)	2021-12-14
oval:org.opensuse.security:def:105971	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101275	P	jetty-http-9.4.38-3.6.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63017	P	jetty-http-9.4.38-3.6.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72736	P	jetty-http-9.4.38-3.6.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1928	P	jetty-http-9.4.38-3.6.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:117847	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:5986	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:97338	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:108913	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:95534	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:65634	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:74702	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:67075	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:76143	P	Security update for jetty-minimal (Important)	2021-03-24
oval:org.opensuse.security:def:108333	P	Security update for jetty-minimal (Important)	2021-03-24

BACK