Eclipse Jetty HTTP/2 Client-Triggered Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Eclipse Jetty's HTTP/2 implementation, affecting versions 9.4.57, 10.0.25, 11.0.25, 12.0.21, and 12.1.0.alpha2. The vulnerability allows an HTTP/2 client to cause the server to send RST_STREAM frames, which can lead to excessive CPU and memory usage on the server. This is achieved by sending malformed frames or frames that violate the expected stream state, forcing the server to consume resources unnecessarily. For instance, a client can open a stream and then send illegal WINDOW_UPDATE frames, prompting the server to reset the stream and waste resources. This exploitation can be repeated rapidly, causing significant resource exhaustion on the server.

Impact

Exploitation of this vulnerability leads to high CPU and memory usage on the server, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by opening an HTTP/2 connection to the server and sending a WINDOW_UPDATE frame with an illegal increment, such as 0. The server will respond by sending a RST_STREAM frame, which can be repeated rapidly to exhaust server resources. This attack can also be performed by sending HEADERS or DATA frames on a half-closed stream, or by using a PRIORITY frame with an incorrect length.

Remediation

Users can upgrade to Jetty versions 9.4.58, 10.0.26, 11.0.26, 12.0.25, or 12.1.0.beta3 to address this vulnerability.