Synopsys Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container.
According the Eclipse Foundation’s website, “Jetty is used in a wide variety of projects and products, both in development and production. Jetty has long been loved by developers due to its long history of being easily embedded in devices, tools, frameworks, application servers, and modern cloud services.”
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), explains, “A DoS vulnerability in Jetty is something close to a digital nightmare, due to it being widely used. Especially for embedded devices in Industrial Control, which are quite often not patchable, this can have severe consequences as availability is paramount in these environments. A Shodan search shows approximately 900,000 entries for ‘Jetty’, with a large majority being located in the U.S. Even if these device are behind a firewall or in separated networks, this vulnerability provides cybercriminals with a new attack vector for extortion. Next to, or instead of, encrypting systems, they can initiate a DoS on devices with an embedded Jetty webserver once foothold is established.”
Vishal Jain, Co-Founder and CTO at Valtix, says, “There is a need for advanced web protection service that has a rich set of rules taking into account varied application frameworks, such as Jetty, WordPress, Jhoomla etc… to target the CVEs. In addition, these web protection services should be able to ingest the updated rulesets for newer threats in a near real-time manner as soon as they are available and automate these ruleset updates in the customer’s environment reducing the critical window of exposure. The key is a defense in depth approach of automating security that makes it much more expensive for attackers who are currently pivoting on one-off exploits.”
Tal Morgenstern, Co-Founder and CPO at Vulcan Cyber, says, “This remote DOS vulnerability can be patched by upgrading Jetty or mitigated by monitoring and blocking large requests with accept header or monitoring high abnormal CPU utilization. Before taking any action, be sure to assess the risk to the environment related to the DOS attack, as it may be more critical to some servers more than others.”