What is the severity of CVE-2021-28165?

CVE-2021-28165 has a CVSS v3 score of 7.5, which is classified as High severity.

Is there an exploit available for CVE-2021-28165?

Yes, there are known exploits available for CVE-2021-28165. Immediate patching is recommended.

Is there a patch available for CVE-2021-28165?

Yes, patches are available for CVE-2021-28165. Check the vendor advisories for update instructions.

CVE-2021-28165 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v37.5

CVSS v27.8

Priority Score487.0

EPSS Score54.0

High

Exploitation LikelihoodCritical

54.00%EPSS

Very high probability of exploitation in the next 30 days

Immediate patching required

54.00%

EPSS

7.5

CVSS

Yes

Exploit

Yes

Patch

High Priority

high EPSS • exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.

Workarounds

The problem can be worked around by compiling the following class:

package org.eclipse.jetty.server.ssl.fix6072;

import java.nio.ByteBuffer;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;

import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.BufferUtil;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.ssl.SslContextFactory;

public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory
{
    public SpaceCheckingSslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol)
    {
        super(factory, nextProtocol);
    }

    @Override
    protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)
    {
        return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())
        {
            @Override
            protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
            {
                SSLEngineResult results = super.unwrap(sslEngine, input, output);

                if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||
                    results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
                    BufferUtil.space(input) == 0)
                {
                    BufferUtil.clear(input);
                    throw new SSLHandshakeException("Encrypted buffer max length exceeded");
                }
                return results;
            }
        };
    }
}

This class can be deployed by:

The resulting class file should be put into a jar file (eg sslfix6072.jar)
The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:High

Exploit References

GitHub [email protected]

Patch References

Lists.apache.org Lists.apache.org Lists.apache.org

Vendor	Product
Netapp	Cloud Manager
Netapp

Ready for Agentic Automated Testing?

CVE-2021-28165

Impact

Workarounds