Eclipse Jetty, a popular web server and servlet container, is harboring a crucial vulnerability in its implementation of the HTTP/2 protocol. This vulnerability can potentially lead to remote denial of service attacks.

Versions affected include 11.. through 11..15, 10.. through 10..15, and 9.. through 9.4.52. Users are advised to update their instances to the latest versions (11..16, 10..16, or 9.4.53) to mitigate this issue.

Exploit Details

The crux of the problem lies in an integer overflow vulnerability in the MetaDataBuilder.checkSize function in MetaDataBuilder.java. This function is responsible for checking whether a header name or value exceeds its size limit, throwing an exception if it does. However, issues arise when the length is very large and huffman is set to true. In this case, multiplying the length by 4 in line 295 causes an integer overflow, rendering the value of length negative. Consequently, the check on line 296 will not be triggered as (_size+length) will also be negative.

Moreover, this vulnerability allows users to input negative HPACK header value sizes. As a result, later in the process, a very large buffer allocation can occur when the user-entered size multiplies by 2. To exploit this, an attacker must provide a negative length value that turns into a large positive number after multiplying by 2. This process can force the server to allocate an enormous buffer.

The problematic code snippet in MetaDataBuilder.java is presented below

private void checkSize(int length, boolean huffman)
{
    length = huffman ? (length * 4 + 2) / 3 : length;
    if (_size + length > _maxLength)
        throw new IllegalArgumentException();
}

Mitigation

The Eclipse Jetty team has addressed this vulnerability in versions 11..16, 10..16, and 9.4.53. Users should update their instances to the patched versions as soon as possible. There are no known workarounds for this issue.

References

* Eclipse Jetty Security Advisory
* CVE-2023-36478 - National Vulnerability Database
* GitHub Issue - Integer Overflow in checkSize()
* GitHub Commit - Fix for the Vulnerability

Conclusion

Eclipse Jetty's integer overflow vulnerability presents a risk for remote denial of service attacks. Affected versions are 11.. through 11..15, 10.. through 10..15, and 9.. through 9.4.52. Users should update their instances to versions 11..16, 10..16, or 9.4.53 to resolve this issue.

Timeline

Published on: 10/10/2023 17:15:11 UTC
Last modified on: 11/16/2023 16:15:30 UTC