CVE-2023-36478 – This CVE describes an integer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-36478?

CVE-2023-36478 has a CVSS score of 7.5 (HIGH). This CVE describes an integer overflow vulnerability in Eclipse Jetty's HTTP/2 HPACK header processing. Attackers can send specially crafted HTTP/2 requests with large header values that bypass size limits, causing excessive memory allocation and leading to denial of service. Users running vulnerable Jetty versions with HTTP/2 enabled are affected.

📋 TL;DR

This CVE describes an integer overflow vulnerability in Eclipse Jetty's HTTP/2 HPACK header processing. Attackers can send specially crafted HTTP/2 requests with large header values that bypass size limits, causing excessive memory allocation and leading to denial of service. Users running vulnerable Jetty versions with HTTP/2 enabled are affected.

💻 Affected Systems

Products:

Eclipse Jetty

Versions: Jetty 9.0.0 through 9.4.52, 10.0.0 through 10.0.15, 11.0.0 through 11.0.15

Operating Systems: All operating systems running Jetty

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with HTTP/2 enabled. HTTP/1.x is not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker causes memory exhaustion leading to complete service unavailability and potential system instability.

🟠

Likely Case

Denial of service through memory exhaustion, causing service disruption and degraded performance.

🟢

If Mitigated

With proper network controls and monitoring, impact is limited to temporary service degradation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires HTTP/2 access but no authentication. The vulnerability is straightforward to exploit once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jetty 9.4.53, 10.0.16, 11.0.16

Vendor Advisory: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009

Restart Required: Yes

Instructions:

1. Download patched version from Eclipse Jetty releases. 2. Stop Jetty service. 3. Replace Jetty JARs with patched versions. 4. Restart Jetty service. 5. Verify version update.

🔧 Temporary Workarounds

Disable HTTP/2

all

Disable HTTP/2 protocol support to prevent exploitation

Configure Jetty connector to use HTTP/1.1 only

🧯 If You Can't Patch

Implement network controls to restrict HTTP/2 traffic to trusted sources only
Monitor memory usage and implement alerting for abnormal memory consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Jetty version and HTTP/2 configuration. If running affected versions with HTTP/2 enabled, system is vulnerable.

Check Version:

java -jar jetty-home-*.jar --version

Verify Fix Applied:

Verify Jetty version is 9.4.53+, 10.0.16+, or 11.0.16+ and test HTTP/2 functionality.

📡 Detection & Monitoring

Log Indicators:

Memory allocation errors
OutOfMemoryError exceptions
HTTP/2 connection resets

Network Indicators:

Unusually large HTTP/2 header frames
Multiple HTTP/2 connections with large payloads

SIEM Query:

source="jetty.log" AND ("OutOfMemoryError" OR "Memory allocation failed" OR "HTTP/2 header size")

📊 Metadata

CVE ID: CVE-2023-36478

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2023/10/18/4 Mailing List,Third Party Advisory
https://github.com/eclipse/jetty.project/pull/9634 Issue Tracking,Patch
https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 Release Notes
https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 Release Notes
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 Release Notes
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html Mailing List
https://security.netapp.com/advisory/ntap-20231116-0011/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.debian.org/security/2023/dsa-5540 Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/4 Mailing List,Third Party Advisory
https://github.com/eclipse/jetty.project/pull/9634 Issue Tracking,Patch
https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16 Release Notes
https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16 Release Notes
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 Release Notes
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html Mailing List
https://security.netapp.com/advisory/ntap-20231116-0011/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.debian.org/security/2023/dsa-5540 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36478, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Jenkins by Jenkins

Jenkins by Jenkins

Jetty by Eclipse

Jetty by Eclipse

Jetty by Eclipse

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP/2

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities