PushSessionCacheFilter can cause remote DoS attacks

Low

joakime published GHSA-r7m4-f9h5-gr79

Oct 14, 2024

Package

org.eclipse.jetty:jetty-servlets (Maven)

Affected versions

>=10.0.0, <=10.0.17

>=11.0.0, <=11.0.17

>=12.0.0, <=12.0.3

Patched versions

10.0.18

11.0.18

12.0.4

Description

Impact

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Patches

#9715
#9716

Workarounds

The session usage is intrinsic to the design of the PushCacheFilter. The issue can be avoided by:

not using the PushCacheFilter. Push has been deprecated by the various IETF specs and early hints responses should be used instead.
reducing the reducing the idle timeout on unauthenticated sessions will reduce the time such session stay in memory.
configuring a session cache to use session passivation, so that sessions are not stored in memory, but rather in a database or file system that may have significantly more capacity than memory.

References

Severity

Low

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

High

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L