openEuler 20.03 LTS SP1 update for jetty
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-27223 CVE-2021-28165 |
| CWE-ID | CWE-20 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
openEuler Operating systems & Components / Operating system jetty-security Operating systems & Components / Operating system package or component jetty-alpn-server Operating systems & Components / Operating system package or component jetty-quickstart Operating systems & Components / Operating system package or component jetty-jaspi Operating systems & Components / Operating system package or component jetty-http2-server Operating systems & Components / Operating system package or component jetty-client Operating systems & Components / Operating system package or component jetty-alpn-client Operating systems & Components / Operating system package or component jetty-jsp Operating systems & Components / Operating system package or component jetty-annotations Operating systems & Components / Operating system package or component jetty-http2-hpack Operating systems & Components / Operating system package or component jetty-jspc-maven-plugin Operating systems & Components / Operating system package or component jetty-websocket-server Operating systems & Components / Operating system package or component jetty-start Operating systems & Components / Operating system package or component jetty-unixsocket Operating systems & Components / Operating system package or component jetty-server Operating systems & Components / Operating system package or component jetty-jmx Operating systems & Components / Operating system package or component jetty-cdi Operating systems & Components / Operating system package or component jetty-proxy Operating systems & Components / Operating system package or component jetty-util-ajax Operating systems & Components / Operating system package or component jetty-http2-common Operating systems & Components / Operating system package or component jetty-webapp Operating systems & Components / Operating system package or component jetty-websocket-common Operating systems & Components / Operating system package or component jetty-osgi-boot-warurl Operating systems & Components / Operating system package or component jetty-jstl Operating systems & Components / Operating system package or component jetty-http Operating systems & Components / Operating system package or component jetty-fcgi-client Operating systems & Components / Operating system package or component jetty-websocket-client Operating systems & Components / Operating system package or component jetty-websocket-api Operating systems & Components / Operating system package or component jetty-rewrite Operating systems & Components / Operating system package or component jetty-plus Operating systems & Components / Operating system package or component jetty-httpservice Operating systems & Components / Operating system package or component jetty-deploy Operating systems & Components / Operating system package or component jetty-util Operating systems & Components / Operating system package or component jetty-servlet Operating systems & Components / Operating system package or component jetty-javax-websocket-server-impl Operating systems & Components / Operating system package or component jetty-servlets Operating systems & Components / Operating system package or component jetty-jndi Operating systems & Components / Operating system package or component jetty-http2-client Operating systems & Components / Operating system package or component jetty-project Operating systems & Components / Operating system package or component jetty-nosql Operating systems & Components / Operating system package or component jetty-ant Operating systems & Components / Operating system package or component jetty-spring Operating systems & Components / Operating system package or component jetty-osgi-alpn Operating systems & Components / Operating system package or component jetty-http2-http-client-transport Operating systems & Components / Operating system package or component jetty-fcgi-server Operating systems & Components / Operating system package or component jetty-infinispan Operating systems & Components / Operating system package or component jetty-continuation Operating systems & Components / Operating system package or component jetty-osgi-boot-jsp Operating systems & Components / Operating system package or component jetty-osgi-boot Operating systems & Components / Operating system package or component jetty-maven-plugin Operating systems & Components / Operating system package or component jetty-io Operating systems & Components / Operating system package or component jetty-xml Operating systems & Components / Operating system package or component jetty-javax-websocket-client-impl Operating systems & Components / Operating system package or component jetty-javadoc Operating systems & Components / Operating system package or component jetty-jaas Operating systems & Components / Operating system package or component jetty-websocket-servlet Operating systems & Components / Operating system package or component jetty-http-spi Operating systems & Components / Operating system package or component jetty Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU52385
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-27223
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the General (Eclipse Jetty) component in Oracle REST Data Services. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
jetty-security: before 9.4.15-7
jetty-alpn-server: before 9.4.15-7
jetty-quickstart: before 9.4.15-7
jetty-jaspi: before 9.4.15-7
jetty-http2-server: before 9.4.15-7
jetty-client: before 9.4.15-7
jetty-alpn-client: before 9.4.15-7
jetty-jsp: before 9.4.15-7
jetty-annotations: before 9.4.15-7
jetty-http2-hpack: before 9.4.15-7
jetty-jspc-maven-plugin: before 9.4.15-7
jetty-websocket-server: before 9.4.15-7
jetty-start: before 9.4.15-7
jetty-unixsocket: before 9.4.15-7
jetty-server: before 9.4.15-7
jetty-jmx: before 9.4.15-7
jetty-cdi: before 9.4.15-7
jetty-proxy: before 9.4.15-7
jetty-util-ajax: before 9.4.15-7
jetty-http2-common: before 9.4.15-7
jetty-webapp: before 9.4.15-7
jetty-websocket-common: before 9.4.15-7
jetty-osgi-boot-warurl: before 9.4.15-7
jetty-jstl: before 9.4.15-7
jetty-http: before 9.4.15-7
jetty-fcgi-client: before 9.4.15-7
jetty-websocket-client: before 9.4.15-7
jetty-websocket-api: before 9.4.15-7
jetty-rewrite: before 9.4.15-7
jetty-plus: before 9.4.15-7
jetty-httpservice: before 9.4.15-7
jetty-deploy: before 9.4.15-7
jetty-util: before 9.4.15-7
jetty-servlet: before 9.4.15-7
jetty-javax-websocket-server-impl: before 9.4.15-7
jetty-servlets: before 9.4.15-7
jetty-jndi: before 9.4.15-7
jetty-http2-client: before 9.4.15-7
jetty-project: before 9.4.15-7
jetty-nosql: before 9.4.15-7
jetty-ant: before 9.4.15-7
jetty-spring: before 9.4.15-7
jetty-osgi-alpn: before 9.4.15-7
jetty-http2-http-client-transport: before 9.4.15-7
jetty-fcgi-server: before 9.4.15-7
jetty-infinispan: before 9.4.15-7
jetty-continuation: before 9.4.15-7
jetty-osgi-boot-jsp: before 9.4.15-7
jetty-osgi-boot: before 9.4.15-7
jetty-maven-plugin: before 9.4.15-7
jetty-io: before 9.4.15-7
jetty-xml: before 9.4.15-7
jetty-javax-websocket-client-impl: before 9.4.15-7
jetty-javadoc: before 9.4.15-7
jetty-jaas: before 9.4.15-7
jetty-websocket-servlet: before 9.4.15-7
jetty-http-spi: before 9.4.15-7
jetty: before 9.4.15-7
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:a:openeuler:jetty-security:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-alpn-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-quickstart:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jaspi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-alpn-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-annotations:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-hpack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jspc-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-start:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-unixsocket:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jmx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-cdi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-proxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-util-ajax:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-webapp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot-warurl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jstl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-fcgi-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-api:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-rewrite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-plus:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-httpservice:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-deploy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-util:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javax-websocket-server-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jndi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-project:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-nosql:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-ant:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-spring:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-alpn:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-http-client-transport:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-fcgi-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-continuation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-io:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-xml:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javax-websocket-client-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jaas:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http-spi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1166
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Resource exhaustion
EUVDB-ID: #VU51876
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-28165
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1
jetty-security: before 9.4.15-7
jetty-alpn-server: before 9.4.15-7
jetty-quickstart: before 9.4.15-7
jetty-jaspi: before 9.4.15-7
jetty-http2-server: before 9.4.15-7
jetty-client: before 9.4.15-7
jetty-alpn-client: before 9.4.15-7
jetty-jsp: before 9.4.15-7
jetty-annotations: before 9.4.15-7
jetty-http2-hpack: before 9.4.15-7
jetty-jspc-maven-plugin: before 9.4.15-7
jetty-websocket-server: before 9.4.15-7
jetty-start: before 9.4.15-7
jetty-unixsocket: before 9.4.15-7
jetty-server: before 9.4.15-7
jetty-jmx: before 9.4.15-7
jetty-cdi: before 9.4.15-7
jetty-proxy: before 9.4.15-7
jetty-util-ajax: before 9.4.15-7
jetty-http2-common: before 9.4.15-7
jetty-webapp: before 9.4.15-7
jetty-websocket-common: before 9.4.15-7
jetty-osgi-boot-warurl: before 9.4.15-7
jetty-jstl: before 9.4.15-7
jetty-http: before 9.4.15-7
jetty-fcgi-client: before 9.4.15-7
jetty-websocket-client: before 9.4.15-7
jetty-websocket-api: before 9.4.15-7
jetty-rewrite: before 9.4.15-7
jetty-plus: before 9.4.15-7
jetty-httpservice: before 9.4.15-7
jetty-deploy: before 9.4.15-7
jetty-util: before 9.4.15-7
jetty-servlet: before 9.4.15-7
jetty-javax-websocket-server-impl: before 9.4.15-7
jetty-servlets: before 9.4.15-7
jetty-jndi: before 9.4.15-7
jetty-http2-client: before 9.4.15-7
jetty-project: before 9.4.15-7
jetty-nosql: before 9.4.15-7
jetty-ant: before 9.4.15-7
jetty-spring: before 9.4.15-7
jetty-osgi-alpn: before 9.4.15-7
jetty-http2-http-client-transport: before 9.4.15-7
jetty-fcgi-server: before 9.4.15-7
jetty-infinispan: before 9.4.15-7
jetty-continuation: before 9.4.15-7
jetty-osgi-boot-jsp: before 9.4.15-7
jetty-osgi-boot: before 9.4.15-7
jetty-maven-plugin: before 9.4.15-7
jetty-io: before 9.4.15-7
jetty-xml: before 9.4.15-7
jetty-javax-websocket-client-impl: before 9.4.15-7
jetty-javadoc: before 9.4.15-7
jetty-jaas: before 9.4.15-7
jetty-websocket-servlet: before 9.4.15-7
jetty-http-spi: before 9.4.15-7
jetty: before 9.4.15-7
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:a:openeuler:jetty-security:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-alpn-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-quickstart:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jaspi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-alpn-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-annotations:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-hpack:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jspc-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-start:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-unixsocket:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jmx:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-cdi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-proxy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-util-ajax:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-webapp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-common:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot-warurl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jstl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-fcgi-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-api:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-rewrite:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-plus:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-httpservice:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-deploy:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-util:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javax-websocket-server-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-servlets:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jndi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-client:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-project:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-nosql:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-ant:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-spring:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-alpn:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http2-http-client-transport:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-fcgi-server:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-infinispan:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-continuation:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot-jsp:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-osgi-boot:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-maven-plugin:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-io:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-xml:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javax-websocket-client-impl:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-javadoc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-jaas:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-websocket-servlet:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty-http-spi:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:jetty:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1166
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
