Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-44487 not detected even when vulnerable jetty version present #1568

Open
jiri-muller opened this issue Oct 23, 2023 · 1 comment
Open
Labels
bug Something isn't working false-negative

Comments

@jiri-muller
Copy link

What happened:

I have gradle java project that is using jetty server:

|    +--- org.eclipse.jetty:jetty-bom:11.0.16
|    |    +--- org.eclipse.jetty:jetty-webapp:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-servlet:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-xml:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-security:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-util:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-server:11.0.16 (c)
|    |    +--- org.eclipse.jetty:jetty-http:11.0.16 (c)
|    |    \--- org.eclipse.jetty:jetty-io:11.0.16 (c)

What you expected to happen:

I expect https://nvd.nist.gov/vuln/detail/CVE-2023-44487 to be detected by Grype because jetty version 11.0.16 should be vulnerable.
Issue is correctly detected when match.java.using-cpes: true is set.

How to reproduce it (as minimally and precisely as possible):

I don't have precise reproducer, sorry :(
My best guess is this:

  • Create spring boot project ( < v3.1.5) with jetty 11.0.16
  • Build docker image using jib
  • Run grype scan on resulting docker image

Anything else we need to know?:

Might be related to this issue? github/advisory-database#2869
Issue is correctly detected when match.java.using-cpes: true is set.
Json output for the issue then looks like this:

{
  "vulnerability": {
    "id": "CVE-2023-44487",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
    "namespace": "nvd:cpe",
    "severity": "High",
    "urls": [
      "http://www.openwall.com/lists/oss-security/2023/10/13/4",
      "http://www.openwall.com/lists/oss-security/2023/10/13/9",
      "http://www.openwall.com/lists/oss-security/2023/10/18/4",
      "http://www.openwall.com/lists/oss-security/2023/10/18/8",
      "http://www.openwall.com/lists/oss-security/2023/10/19/6",
      "http://www.openwall.com/lists/oss-security/2023/10/20/8",
      "https://access.redhat.com/security/cve/cve-2023-44487",
      "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/",
      "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
      "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
      "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
      "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
      "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
      "https://blog.vespa.ai/cve-2023-44487/",
      "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
      "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
      "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
      "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
      "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
      "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
      "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
      "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
      "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
      "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
      "https://github.com/Azure/AKS/issues/3947",
      "https://github.com/Kong/kong/discussions/11741",
      "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
      "https://github.com/advisories/GHSA-vx74-f528-fxqg",
      "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
      "https://github.com/akka/akka-http/issues/4323",
      "https://github.com/alibaba/tengine/issues/1872",
      "https://github.com/apache/apisix/issues/10320",
      "https://github.com/apache/httpd-site/pull/10",
      "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113",
      "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
      "https://github.com/apache/trafficserver/pull/10564",
      "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487",
      "https://github.com/bcdannyboy/CVE-2023-44487",
      "https://github.com/caddyserver/caddy/issues/5877",
      "https://github.com/caddyserver/caddy/releases/tag/v2.7.5",
      "https://github.com/dotnet/announcements/issues/277",
      "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73",
      "https://github.com/eclipse/jetty.project/issues/10679",
      "https://github.com/envoyproxy/envoy/pull/30055",
      "https://github.com/etcd-io/etcd/issues/16740",
      "https://github.com/facebook/proxygen/pull/466",
      "https://github.com/golang/go/issues/63417",
      "https://github.com/grpc/grpc-go/pull/6703",
      "https://github.com/h2o/h2o/pull/3291",
      "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
      "https://github.com/haproxy/haproxy/issues/2312",
      "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244",
      "https://github.com/junkurihara/rust-rpxy/issues/97",
      "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
      "https://github.com/kazu-yamamoto/http2/issues/93",
      "https://github.com/kubernetes/kubernetes/pull/121120",
      "https://github.com/line/armeria/pull/5232",
      "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
      "https://github.com/micrictor/http2-rst-stream",
      "https://github.com/microsoft/CBL-Mariner/pull/6381",
      "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
      "https://github.com/nghttp2/nghttp2/pull/1961",
      "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
      "https://github.com/ninenines/cowboy/issues/1615",
      "https://github.com/nodejs/node/pull/50121",
      "https://github.com/openresty/openresty/issues/930",
      "https://github.com/opensearch-project/data-prepper/issues/3474",
      "https://github.com/oqtane/oqtane.framework/discussions/3367",
      "https://github.com/projectcontour/contour/pull/5826",
      "https://github.com/tempesta-tech/tempesta/issues/1986",
      "https://github.com/varnishcache/varnish-cache/issues/3996",
      "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
      "https://istio.io/latest/news/security/istio-security-2023-004/",
      "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/",
      "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
      "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html",
      "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html",
      "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html",
      "https://lists.fedoraproject.org/archives/list/[email protected]/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/",
      "https://lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/",
      "https://lists.fedoraproject.org/archives/list/[email protected]/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/",
      "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html",
      "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
      "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
      "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
      "https://my.f5.com/manage/s/article/K000137106",
      "https://netty.io/news/2023/10/10/4-1-100-Final.html",
      "https://news.ycombinator.com/item?id=37830987",
      "https://news.ycombinator.com/item?id=37830998",
      "https://news.ycombinator.com/item?id=37831062",
      "https://news.ycombinator.com/item?id=37837043",
      "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
      "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
      "https://security.netapp.com/advisory/ntap-20231016-0001/",
      "https://security.paloaltonetworks.com/CVE-2023-44487",
      "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14",
      "https://ubuntu.com/security/CVE-2023-44487",
      "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
      "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
      "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
      "https://www.debian.org/security/2023/dsa-5521",
      "https://www.debian.org/security/2023/dsa-5522",
      "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
      "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/",
      "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
      "https://www.openwall.com/lists/oss-security/2023/10/10/6",
      "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
      "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
    ],
    "description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
    "cvss": [
      {
        "source": "[email protected]",
        "type": "Primary",
        "version": "3.1",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "metrics": {
          "baseScore": 7.5,
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        },
        "vendorMetadata": {}
      }
    ],
    "fix": {
      "versions": [],
      "state": "unknown"
    },
    "advisories": []
  },
  "relatedVulnerabilities": [],
  "matchDetails": [
    {
      "type": "cpe-match",
      "matcher": "java-matcher",
      "searchedBy": {
        "namespace": "nvd:cpe",
        "cpes": [
          "cpe:2.3:a:eclipse:jetty:11.0.16:*:*:*:*:*:*:*"
        ],
        "Package": {
          "name": "jetty-http",
          "version": "11.0.16"
        }
      },
      "found": {
        "vulnerabilityID": "CVE-2023-44487",
        "versionConstraint": "< 9.4.53 || >= 10.0.0, < 10.0.17 || >= 11.0.0, < 11.0.17 || >= 12.0.0, < 12.0.2 (unknown)",
        "cpes": [
          "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"
        ]
      }
    }
  ],
  "artifact": {
    "id": "03927fc04a68f161",
    "name": "jetty-http",
    "version": "11.0.16",
    "type": "java-archive",
    "locations": [
      {
        "path": "/app/libs/jetty-http-11.0.16.jar",
        "layerID": "sha256:eb344aeb9fbf199e3b5e13054bae6d601b3ac44272f81ebc7d43279135b0969e"
      }
    ],
    "language": "java",
    "licenses": [
      "https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0"
    ],
    "cpes": [
      "cpe:2.3:a:eclipse-jetty-project:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse-jetty-project:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse_jetty_project:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse_jetty_project:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse-jetty-project:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse_jetty_project:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse-jetty-project:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse_jetty_project:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty-http:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty-http:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty_http:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty_http:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty-http:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty_http:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:http:jetty-http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:http:jetty_http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty-http:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty_http:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:eclipse:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:http:jetty:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:jetty:http:11.0.16:*:*:*:*:*:*:*",
      "cpe:2.3:a:http:http:11.0.16:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:maven/org.eclipse.jetty/[email protected]",
    "upstreams": [],
    "metadataType": "JavaMetadata",
    "metadata": {
      "virtualPath": "/app/libs/jetty-http-11.0.16.jar",
      "pomArtifactID": "jetty-http",
      "pomGroupID": "org.eclipse.jetty",
      "manifestName": "",
      "archiveDigests": [
        {
          "algorithm": "sha1",
          "value": "fa8f92516b912989f13121cdea1f993ef225d420"
        }
      ]
    }
  }
}

Environment:

  • grype 0.72.0
  • Ubuntu 22.04.3 LTS
@wagoodman
Copy link
Contributor

An initial look is that the upstream GHSA record GHSA-qppj-fm5r-hxr3 needs to be updated to attach it to the java ecosystem for jetty (the netty PR looks to be here github/advisory-database#2908).

@wagoodman wagoodman moved this to Backlog in OSS Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working false-negative
Projects
Status: Backlog
Development

No branches or pull requests

3 participants