CVE-2021-28165

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

References

https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/rd[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.ignite.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.ignite.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

http://www.openwall.com/lists/oss-security/2021/04/20/3

https://lists.apache.org/thread.html/[email protected]%3Cissues.ignite.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.ignite.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.ignite.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Creviews.spark.apache.org%3E

https://security.netapp.com/advisory/ntap-20210611-0006/

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.debian.org/security/2021/dsa-4949

https://lists.apache.org/thread.html/[email protected]%3Cissues.solr.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2021-04-01

Updated: 2021-10-20

Type: CWE-400

Risk Information

CVSS v2

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (10 total)

IDNameProductFamilySeverity
155587Jenkins Enterprise and Operations Center < 2.249.31.0.1 / 2.277.3.1 DoS (CloudBees Security Advisory 2021-04-20)NessusCGI abuses
high
112995Jetty 11.0.x < 11.0.2 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
112994Jetty 10.0.x < 10.0.2 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
112993Jetty < 9.4.39 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
151741openSUSE 15 Security Update : jetty-minimal (openSUSE-SU-2021:2005-1)NessusSuSE Local Security Checks
medium
150895SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2021:2005-1)NessusSuSE Local Security Checks
medium
149793RHEL 7 / 8 : OpenShift Container Platform 4.7.11 (RHSA-2021:1551)NessusRed Hat Local Security Checks
medium
149318RHEL 7 : rh-eclipse-jetty (RHSA-2021:1509)NessusRed Hat Local Security Checks
medium
148975Jenkins LTS < 2.277.3 / Jenkins weekly < 2.286NessusCGI abuses
high
148865FreeBSD : jenkins -- Denial of service vulnerability in bundled Jetty (e358b470-b37d-4e47-bc8a-2cd9adbeb63c)NessusFreeBSD Local Security Checks
high