Bug 1210620 (CVE-2023-26048) - VUL-0: CVE-2023-26048: jetty-minimal,jetty-websocket: OutOfMemoryError for large multipart without filename read via request.getParameter()
Summary: VUL-0: CVE-2023-26048: jetty-minimal,jetty-websocket: OutOfMemoryError for la...
Status: RESOLVED FIXED
Alias: CVE-2023-26048
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363934/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-26048:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-19 08:10 UTC by Cathy Hu
Modified: 2024-05-06 12:32 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-04-19 08:10:33 UTC 
CVE-2023-26048

Jetty is a java based web server and servlet engine. In affected versions
servlets with multipart support (e.g. annotated with `@MultipartConfig`) that
call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may
cause `OutOfMemoryError` when the client sends a multipart request with a part
that has a name but no filename and very large content. This happens even with
the default settings of `fileSizeThreshold=0` which should stream the whole part
content to disk. An attacker client may send a large multipart request and cause
the server to throw `OutOfMemoryError`. However, the server may be able to
recover after the `OutOfMemoryError` and continue its service -- although it may
take some time. This issue has been patched in versions 9.4.51, 10.0.14, and
11.0.14. Users are advised to upgrade. Users unable to upgrade may set the
multipart parameter `maxRequestSize` which must be set to a non-negative value,
so the whole multipart content is limited (although still read into memory).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26048
https://www.cve.org/CVERecord?id=CVE-2023-26048
https://github.com/eclipse/jetty.project/issues/9076
https://github.com/eclipse/jetty.project/pull/9344
https://github.com/eclipse/jetty.project/pull/9345
https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
Comment 1 Cathy Hu 2023-04-19 08:10:47 UTC 
Affected:
- SUSE:SLE-15-SP2:Update/jetty-minimal    9.4.48
- SUSE:SLE-15-SP2:Update/jetty-websocket  9.4.48
- openSUSE:Factory/jetty-minimal          9.4.48
- openSUSE:Factory/jetty-unixsocket       9.4.48
- openSUSE:Factory/jetty-websocket        9.4.48
Comment 4 Maintenance Automation 2023-06-19 08:30:20 UTC 
SUSE-SU-2023:2539-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1210620, 1210621
CVE References: CVE-2023-26048, CVE-2023-26049
Sources used:
openSUSE Leap 15.4 (src): jetty-minimal-9.4.51-150200.3.19.2
openSUSE Leap 15.5 (src): jetty-minimal-9.4.51-150200.3.19.2
Development Tools Module 15-SP4 (src): jetty-minimal-9.4.51-150200.3.19.2
Development Tools Module 15-SP5 (src): jetty-minimal-9.4.51-150200.3.19.2
SUSE Linux Enterprise Real Time 15 SP3 (src): jetty-minimal-9.4.51-150200.3.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Fridrich Strba 2024-03-04 12:23:40 UTC 
Time to close
Comment 6 Robert Frohl 2024-05-06 12:32:56 UTC 
done, closing