CVE-2018-12545

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096	Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3E	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E	Mailing List Patch
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6/	Mailing List Release Notes
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E	Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

Configuration 1

cpe:2.3:a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:20150601:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:20150608:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.1:20150714:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.2:20150730:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.3:20150825:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.3:20150827:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.4:20151007:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.4:20151005:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.5:20151012:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.6:20151106:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.7:20160115:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.8:20160311:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.9:20160517:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.10:20160621:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.10:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.11:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.12:20160915:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.13:20161014:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.13:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.14:20161028:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.15:20161220:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.16:20170119:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.16:20170120:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.17:20170317:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.17:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.18:20170406:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.19:20170502:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.20:20170531:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.21:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.21:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.21:20170918:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.22:20171030:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.23:20180228:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:maintenance0:*:*:*:*:*:* cpe:2.3:a:eclipse:jetty:9.3.0:maintenance1:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*

---

Published : 2019-03-27 08:29

Updated : 2020-10-23 06:18

---

NVD link : CVE-2018-12545

Mitre link : CVE-2018-12545

Eclipse

Jetty

CWE-770