Cloud Defense Logo

Products

Solutions

Company

CVE-2023-36478 : Security Advisory and Response

Learn about CVE-2023-36478 affecting Eclipse Jetty, allowing HTTP/2 HPACK header values to surpass size limits, potentially leading to remote denial of service attacks. Update to versions 11.0.16, 10.0.16, or 9.4.53 for mitigation.

This article provides detailed information about CVE-2023-36478, focusing on the HTTP/2 HPACK integer overflow and buffer allocation vulnerability in Eclipse Jetty.

Understanding CVE-2023-36478

CVE-2023-36478 is a high-severity vulnerability affecting versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 of Eclipse Jetty, allowing for HTTP/2 HPACK header values to exceed their size limit due to an integer overflow.

What is CVE-2023-36478?

In Eclipse Jetty versions mentioned above, an integer overflow in 

MetaDataBuilder.checkSize
enables HTTP/2 HPACK header values to surpass their size limit. This overflow can lead to remote denial of service attacks for users of HTTP/2.

The Impact of CVE-2023-36478

Users of HTTP/2 protocol are vulnerable to a remote denial of service attack due to the integer overflow in handling HPACK header values. This vulnerability can be exploited by malicious actors to disrupt services.

Technical Details of CVE-2023-36478

The vulnerability lies in the 

MetaDataBuilder.checkSize
function, allowing for buffer allocations based on user-entered HPACK header values, potentially leading to a DoS attack.

Vulnerability Description

The flaw allows for user-entered HPACK header sizes to exceed limits, causing an integer overflow in determining header size and leading to large buffer allocations on the server, impacting HTTP/2 users.

Affected Systems and Versions

Eclipse Jetty versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 are affected by this vulnerability, putting users of these versions at risk of a DoS attack.

Exploitation Mechanism

Malicious actors can exploit this flaw by providing specially crafted HPACK header values, causing the server to allocate large buffers, leading to service disruption.

Mitigation and Prevention

To address CVE-2023-36478, users are advised to take immediate steps and implement long-term security measures to protect their systems.

Immediate Steps to Take

        Update Eclipse Jetty to versions 11.0.16, 10.0.16, or 9.4.53 to mitigate the vulnerability.

Long-Term Security Practices

        Regularly monitor security advisories and apply patches promptly to mitigate future vulnerabilities.

Patching and Updates

        Stay informed about security releases from Eclipse Jetty and apply relevant patches to keep systems secure.

Popular CVEs

CVE Id

Published Date

Is your System Free of Underlying Vulnerabilities?
Find Out Now