Integer Overflow or Wraparound Affecting jetty-http package, versions <9.4.53-150200.3.22.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Integer Overflow or Wraparound vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-SLES155-JETTYHTTP-6037211
- published27 Oct 2023
- disclosed26 Oct 2023
Introduced: 26 Oct 2023
CVE-2023-36478 (opens in a new tab)How to fix?
Upgrade SLES:15.5 jetty-http to version 9.4.53-150200.3.22.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream jetty-http package and not the jetty-http package as distributed by SLES.
See How to fix? for SLES:15.5 relevant fixed versions and status.
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to
exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
References
- https://www.suse.com/security/cve/CVE-2023-36478.html
- https://bugzilla.suse.com/1216162
- http://www.openwall.com/lists/oss-security/2023/10/18/4
- https://github.com/eclipse/jetty.project/pull/9634
- https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16
- https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16
- https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r
- https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
- https://security.netapp.com/advisory/ntap-20231116-0011/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2023/dsa-5540