[jetty-dev] Statement about HTTP/2 CONTINUATION frames can be utilized f

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Statement about HTTP/2 CONTINUATION frames can be utilized for DoS attacks #421644

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 3 Apr 2024 14:41:55 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

An industry level HTTP/2 vulnerability related to HTTP/2 CONTINUATION frames being utilized for DoS attacks has just been published.

https://www.kb.cert.org/vuls/id/421644

Eclipse Jetty is Not Affected by this vulnerability.

The Eclipse Jetty team (and the original reporter of the vulnerability) has tested various recent releases of Eclipse Jetty to verify.

The following releases, using default configurations for HTTP/2, have been tested and do not have the problems identified in the vulnerability.

Eclipse Jetty - 12.0.7 (current supported version)
Eclipse Jetty - 11.0.20 (now at End of Community Support)
Eclipse Jetty - 10.0.20 (now at End of Community Support)
Eclipse Jetty - 9.4.54 (now at End of Community Support)

Joakim Erdfelt / joakim@xxxxxxxxxxx

Prev by Date: [jetty-dev] Java 22 is GA + Heads-up!
Next by Date: [jetty-dev] Announcing Eclipse Jetty 12.0.8
Previous by thread: [jetty-dev] Java 22 is GA + Heads-up!
Next by thread: [jetty-dev] Announcing Eclipse Jetty 12.0.8
Index(es):
- Date
- Thread

Back to the top