Eclipse Jetty GzipHandler Memory Leak Vulnerability Leading to Denial-of-Service

A memory leak vulnerability has been identified in Eclipse Jetty versions 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5. The issue arises in the GzipHandler class when a compressed HTTP request with 'Content-Encoding: gzip' is received, but the response is not compressed. This scenario causes the JDK Inflater, used for decompressing the request, to be allocated but not released. The release mechanism is linked to the response compression, so when the response is uncompressed, the inflater remains active, leading to a memory leak.

Impact

Exploitation of this vulnerability causes a memory leak that can lead to an 'OutOfMemoryError' (OOM) in the Java Virtual Machine, crashing the application. This vulnerability can be exploited to create a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a compressed HTTP request with 'Content-Encoding: gzip' to a server running the affected versions of Eclipse Jetty. Ensure that the response does not include 'Accept-Encoding: gzip'. This will trigger the GzipHandler to create a new Inflater for the request, which will not be released, causing a buildup of Inflater objects in memory. Monitor the server's memory usage to observe the effects of the leak, which can lead to an 'OutOfMemoryError' and crash the application.

Remediation

As a workaround, GzipHandler can be disabled. Users should also upgrade to Jetty versions 12.1.6 or 12.0.32, where this vulnerability has been patched.