In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.249.x prior to 2.249.31.0.1, or 2.x prior to 2.277.3.1. It is, therefore, affected by a denial of service vulnerability due to an issue with Winstone-Jetty. An unauthenticated, remote attacker can exploit this by sending a large invalid SSL/TLS frame, to cause CPU usage to hit 100% and cause the system to stop responding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Jetty hosted on the remote web server is prior to 9.4.39, 10.0.x prior to 10.0.2 or 11.0.x prior to 11.0.2. It is, therefore, affected by multiple vulnerabilities:

 - An issue where CPU usage can reach 100% with a large invalid TLS frame. (CVE-2021-28165)

 - A issue with permitting access to protected resources within the WEB-INF directory when accessed with encoded paths. (CVE-2021-28164)

 - An issue when a symlinked webapps directory is used, the contents of the webapps directory is deployed as a static webapp. (CVE-2021-28163)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1551 advisory.

  - golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

  - jenkins: lack of type validation in agent related REST API (CVE-2021-21639)

  - jenkins: view name validation bypass (CVE-2021-21640)

  - jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

  - jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1509 advisory.

  - jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

  - jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

  - jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.277.3 or Jenkins weekly prior to 2.286. It is, therefore, affected by a vulnerability:

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Jenkins Security Advisory : Description(High) JENKINS-65280 / CVE-2021-28165 Denial of service vulnerability in bundled Jetty

ID	Name	Product	Family	Severity
155587	Jenkins Enterprise and Operations Center < 2.249.31.0.1 / 2.277.3.1 DoS (CloudBees Security Advisory 2021-04-20)	Nessus	CGI abuses	high
112995	Jetty 11.0.x < 11.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112994	Jetty 10.0.x < 10.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112993	Jetty < 9.4.39 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
151741	openSUSE 15 Security Update : jetty-minimal (openSUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
150895	SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
149793	RHEL 7 / 8 : OpenShift Container Platform 4.7.11 (RHSA-2021:1551)	Nessus	Red Hat Local Security Checks	medium
149318	RHEL 7 : rh-eclipse-jetty (RHSA-2021:1509)	Nessus	Red Hat Local Security Checks	medium
148975	Jenkins LTS < 2.277.3 / Jenkins weekly < 2.286	Nessus	CGI abuses	high
148865	FreeBSD : jenkins -- Denial of service vulnerability in bundled Jetty (e358b470-b37d-4e47-bc8a-2cd9adbeb63c)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-28165

high

Tenable Plugins

high

high

high

high

medium

medium

medium

medium

high

high