Vulnerability Name:

CVE-2021-28165 (CCN-199305)

Assigned:2021-04-01
Published:2021-04-01
Updated:2022-07-29
Summary:In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-755
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20210420 Vulnerability in Jenkins

Source: XF
Type: UNKNOWN
eclipse-cve202128165-dos(199305)

Source: CCN
Type: Jetty GIT Repository
CPU 100% receiving an invalid large TLS frame

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Patch, Third Party Advisory
[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Patch, Third Party Advisory
[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39

Source: MLIST
Type: Mailing List, Third Party Advisory
[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49)

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165

Source: MLIST
Type: Issue Tracking, Mailing List, Third Party Advisory
[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165

Source: CONFIRM
Type: Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210611-0006/

Source: DEBIAN
Type: Third Party Advisory
DSA-4949

Source: CCN
Type: IBM Security Bulletin 6462299 (Resilient)
IBM Resilient SOAR is Using Components with Known Vulnerabilities - Eclipse Jetty (CVE-2021-28163, CVE-2021-28164, CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6466729 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6469939 (UrbanCode Deploy)
CVE-2021-28165 In Eclipse Jetty CPU usage can reach 100% upon receiving a large invalid TLS frame.

Source: CCN
Type: IBM Security Bulletin 6472057 (Resilient OnPrem)
IBM Security SOAR is using a component with known vulnerabilities - Eclipse Jetty ( CVE-2021-28163, CVE-2021-28165, CVE-2020-27223)

Source: CCN
Type: IBM Security Bulletin 6516422 (MQ)
IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6520472 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to using components with know vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6567139 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 6574019 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6584093 (MQ)
IBM MQ is vulnerable to multiple Eclipse Jetty issues

Source: CCN
Type: IBM Security Bulletin 6591193 (Sterling Connect:Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6592799 (MaaS360 Mobile Enterprise Gateway)
IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6597281 (Sterling Connect:Direct Browser User Interface)
IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty

Source: CCN
Type: IBM Security Bulletin 6608622 (Rational Performance Tester)
Vulnerabilities in Eclipse Jetty affect Rational Performance Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6608624 (Rational Service Tester)
Vulnerabilities in Eclipse Jetty affect Rational Service Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6614725 (QRadar SIEM)
IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6825513 (Rational Change)
Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

Source: CCN
Type: IBM Security Bulletin 6825515 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2.4

Source: CCN
Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6830871 (Enterprise Records)
Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6983272 (Business Automation Workflow)
A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)
Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit

Source: CCN
Type: IBM Security Bulletin 7005945 (Storage Protect)
IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and < 11.0.2)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.0.2)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 7.2.2 and < 9.4.39)

    • Configuration 2:
  • cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* (Version <= 21.9)
  • OR cpe:/a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:rest_data_services:*:*:*:*:*:*:*:* (Version < 21.3)

    • Configuration 3:
  • cpe:/a:jenkins:jenkins:*:*:*:*:lts:*:*:* (Version < 2.277.3)
  • OR cpe:/a:jenkins:jenkins:*:*:*:*:*:*:*:* (Version < 2.286)

    • Configuration 4:
  • cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0.0 and < 11.70.1)
  • OR cpe:/a:netapp:e-series_performance_analyzer:*:*:*:*:*:*:*:* (Version < 3.0)
  • OR cpe:/a:netapp:snapcenter:*:*:*:*:*:*:*:* (Version < 4.6)
  • OR cpe:/a:netapp:e-series_santricity_storage:*:*:*:*:*:vcenter:*:* (Version < 1.10)
  • OR cpe:/a:netapp:santricity_web_services_proxy:*:*:*:*:*:*:*:* (Version < 5.1)
  • OR cpe:/a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* (Version < 9.10)
  • OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* (Version < 9.10)
  • OR cpe:/a:netapp:e-series_santricity_web_services:*:*:*:*:*:web_services_proxy:*:* (Version < 5.1)
  • OR cpe:/a:netapp:ontap_tools:*:*:*:*:*:vmware_vsphere:*:* (Version < 9.10)
  • OR cpe:/a:netapp:cloud_manager:*:*:*:*:*:*:*:* (Version < 3.9.8)

    • Configuration CCN 1:
  • cpe:/a:eclipse:jetty:10.0.0:alpha0:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.0:alpha0:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:10.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:7.2.2:20101205:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*
  • OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8024
    P
    		jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:95293
    P
    		Security update for java-17-openjdk (Important)
    2022-08-03
    oval:org.opensuse.security:def:3395
    P
    		vsftpd-3.0.2-40.11.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94894
    P
    		evince-41.3-150400.1.11 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95025
    P
    		jetty-http-9.4.43-3.12.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:6065
    P
    		Security update for gcc48 (Moderate)
    2022-06-08
    oval:org.opensuse.security:def:102006
    P
    		Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (Critical)
    2022-02-16
    oval:org.opensuse.security:def:101607
    P
    		Security update for qemu (Low)
    2022-01-25
    oval:org.opensuse.security:def:112474
    P
    		jetty-annotations-9.4.43-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105971
    P
    		jetty-annotations-9.4.43-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:4485
    P
    		Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) (Important)
    2021-09-16
    oval:org.opensuse.security:def:111590
    P
    		Security update for jetty-minimal (Important)
    2021-07-11
    oval:org.opensuse.security:def:65574
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:4555
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:97080
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:117787
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:74712
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:108273
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:101782
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:65644
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:5745
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:75902
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:108672
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:66834
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:76222
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:67154
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:74642
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    BACK
    eclipse jetty *
    eclipse jetty *
    eclipse jetty *
    oracle communications services gatekeeper 7.0
    oracle autovue for agile product lifecycle management 21.0.2
    oracle siebel core - automation *
    oracle communications element manager 8.2.2
    oracle communications cloud native core policy 1.14.0
    oracle communications session report manager *
    oracle communications session route manager *
    oracle rest data services *
    jenkins jenkins *
    jenkins jenkins *
    netapp santricity cloud connector -
    netapp e-series santricity os controller *
    netapp e-series performance analyzer *
    netapp snapcenter *
    netapp e-series santricity storage *
    netapp santricity web services proxy *
    netapp storage replication adapter for clustered data ontap *
    netapp vasa provider for clustered data ontap *
    netapp e-series santricity web services *
    netapp ontap tools *
    netapp cloud manager *
    eclipse jetty 10.0.0 alpha0
    eclipse jetty 11.0.0 alpha0
    eclipse jetty 10.0.1
    eclipse jetty 11.0.1
    eclipse jetty 7.2.2 20101205
    ibm cognos analytics 11.0
    ibm infosphere information server 11.7
    ibm qradar security information and event manager 7.3
    ibm urbancode deploy 6.2.7.3
    ibm cognos command center 10.2.4.1
    ibm rational functional tester 9.5
    ibm cognos analytics 11.1
    ibm mq 9.0.0
    ibm mq 9.1.0
    ibm business automation workflow 19.0.0.3
    ibm urbancode deploy 7.0.3.0
    ibm urbancode deploy 7.0.4.0
    ibm urbancode deploy 7.1.0.0
    ibm qradar security information and event manager 7.4 -
    ibm urbancode deploy 6.2.7.4
    ibm urbancode deploy 6.2.7.8
    ibm urbancode deploy 7.0.5.3
    ibm urbancode deploy 7.1.1.0
    ibm rational service tester 9.5
    ibm mq 9.2.0
    ibm urbancode deploy 6.2.7.9
    ibm urbancode deploy 7.0.5.4
    ibm urbancode deploy 7.1.1.1
    ibm urbancode deploy 7.1.1.2