Original Report
Bjørn Seime [email protected]
10:27 AM (10 minutes ago)
Hi.
We've identified a potential denial of service vulnerability affecting Jetty HTTP/2 servers on 12.0.16.
A HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit.
See attached zip file for readme and a full proof of concept.
--
Bjorn C Seime
Vespa.ai, Trondheim - Norway
Impact
Remote peers can cause the JVM to crash or continuously report OOM.
Patches
12.0.17
Workarounds
No workarounds.
References
#12690
Original Report
Bjørn Seime [email protected]
10:27 AM (10 minutes ago)
Hi.
We've identified a potential denial of service vulnerability affecting Jetty HTTP/2 servers on 12.0.16.
A HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit.
See attached zip file for readme and a full proof of concept.
--
Bjorn C Seime
Vespa.ai, Trondheim - Norway
Impact
Remote peers can cause the JVM to crash or continuously report OOM.
Patches
12.0.17
Workarounds
No workarounds.
References
#12690