Vulnerability Description
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | >= 7.2.2, < 9.4.39 |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Element Manager | 8.2.2 |
| Oracle | Communications Services Gatekeeper | 7.0 |
| Oracle | Communications Session Report Manager | >= 8.0.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0.0, <= 8.2.4.0 |
| Oracle | Rest Data Services | < 21.3 |
| Oracle | Siebel Core - Automation | <= 21.9 |
| Jenkins | Jenkins | < 2.277.3 |
| Netapp | Cloud Manager | < 3.9.8 |
| Netapp | E-Series Performance Analyzer | < 3.0 |
| Netapp | E-Series Santricity Os Controller | >= 11.0.0, < 11.70.1 |
| Netapp | E-Series Santricity Storage | < 1.10 |
| Netapp | E-Series Santricity Web Services | < 5.1 |
| Netapp | Ontap Tools | < 9.10 |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Santricity Web Services Proxy | < 5.1 |
| Netapp | Snapcenter | < 4.6 |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | < 9.10 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/04/20/3Mailing ListThird Party Advisory
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4wExploitThird Party Advisory
- https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db
- https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf3
- https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b9
- https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da1
- https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0d
- https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9
- https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e669
- https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fa
- https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf9
- https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec14
- https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e
- https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc0
- https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced764
FAQ
What is CVE-2021-28165?
CVE-2021-28165 is a vulnerability with a CVSS score of 7.5 (HIGH). In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
How severe is CVE-2021-28165?
CVE-2021-28165 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28165?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Oracle Autovue For Agile Product Lifecycle Management, Oracle Communications Cloud Native Core Policy, Oracle Communications Element Manager, Oracle Communications Services Gatekeeper.