CVE-2021-28165

Q: What is the severity of CVE-2021-28165?

CVE-2021-28165 has a CVSS score of 7.5 (HIGH). This vulnerability in Eclipse Jetty allows denial-of-service attacks by causing 100% CPU usage when processing large invalid TLS frames. Attackers can exploit this to make affected servers unresponsive. Organizations using vulnerable Jetty versions for web services or applications are affected.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Eclipse Jetty allows denial-of-service attacks by causing 100% CPU usage when processing large invalid TLS frames. Attackers can exploit this to make affected servers unresponsive. Organizations using vulnerable Jetty versions for web services or applications are affected.

💻 Affected Systems

Products:

Eclipse Jetty

Versions: 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1

Operating Systems: All operating systems running affected Jetty versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any Jetty server using TLS/SSL connections is vulnerable. The vulnerability affects the TLS handling component regardless of specific configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with 100% CPU consumption, making the server unresponsive to legitimate requests, potentially affecting downstream services.

🟠

Likely Case

Degraded performance or temporary service disruption during attack periods, requiring manual intervention to restore service.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid response capabilities in place to detect and mitigate attacks.

🌐 Internet-Facing: HIGH - Internet-facing Jetty servers are directly exposed to potential DoS attacks from any external source.

🏢 Internal Only: MEDIUM - Internal servers could still be targeted by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted TLS frames but doesn't require authentication. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jetty 9.4.39, 10.0.2, 11.0.2

Vendor Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

Restart Required: Yes

Instructions:

1. Identify current Jetty version. 2. Upgrade to Jetty 9.4.39, 10.0.2, or 11.0.2 depending on your major version. 3. Replace the Jetty JAR files with patched versions. 4. Restart the Jetty server. 5. Verify the fix by checking the version and monitoring for the issue.

🔧 Temporary Workarounds

Rate Limiting and Monitoring

all

Implement network-level rate limiting and monitoring to detect abnormal TLS traffic patterns.

Load Balancer Filtering

all

Configure load balancers or WAFs to filter suspicious TLS traffic before it reaches Jetty servers.

🧯 If You Can't Patch

Implement aggressive rate limiting on TLS connections to prevent mass exploitation
Deploy additional monitoring for CPU spikes and TLS connection anomalies with automated alerting

🔍 How to Verify

Check if Vulnerable:

Check Jetty version using 'java -jar jetty-home-*.jar --version' or examine server startup logs for version information.

Check Version:

java -jar jetty-home-*.jar --version 2>&1 | grep -i jetty

Verify Fix Applied:

Confirm version is 9.4.39+, 10.0.2+, or 11.0.2+ and monitor for absence of 100% CPU spikes during TLS traffic.

📡 Detection & Monitoring

Log Indicators:

Unusual TLS handshake failures
Server logs showing connection resets during TLS negotiation

Network Indicators:

Abnormally large TLS frames
High volume of TLS connection attempts from single sources

SIEM Query:

source="jetty.logs" AND ("TLS handshake failed" OR "SSLException") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-28165

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 1, 2021

Last Updated: August 27, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Autovue For Agile Product Lifecycle Management by Oracle

Cloud Manager by Netapp

Communications Cloud Native Core Policy by Oracle

Communications Element Manager by Oracle

Communications Services Gatekeeper by Oracle

Communications Session Report Manager by Oracle

Communications Session Route Manager by Oracle

E Series Performance Analyzer by Netapp

E Series Santricity Os Controller by Netapp

E Series Santricity Storage by Netapp

E Series Santricity Web Services by Netapp

Jenkins by Jenkins

Jenkins by Jenkins

Jetty by Eclipse

Jetty by Eclipse

Jetty by Eclipse

Ontap Tools by Netapp

Rest Data Services by Oracle

Santricity Cloud Connector by Netapp

Santricity Web Services Proxy by Netapp

Siebel Core Automation by Oracle

Snapcenter by Netapp

Storage Replication Adapter For Clustered Data Ontap by Netapp

Vasa Provider For Clustered Data Ontap by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Rate Limiting and Monitoring

Load Balancer Filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities