CVE-2023-36478 Overview
CVE-2023-36478 is an integer overflow vulnerability in Eclipse Jetty, a widely-used Java web server and servlet container. The flaw exists in the MetaDataBuilder.checkSize method, which is responsible for validating HTTP/2 HPACK header values against size limits. When processing specially crafted header values with Huffman encoding enabled, an attacker can trigger an integer overflow that bypasses size validation checks, potentially causing the server to allocate excessively large memory buffers.
This vulnerability affects HTTP/2 connections and can be exploited remotely without authentication to cause denial of service conditions on affected Jetty servers. The integer overflow occurs during the multiplication operation used to calculate buffer sizes, allowing negative values to bypass boundary checks and subsequently trigger massive memory allocations.
Critical Impact
Remote attackers can exploit this HTTP/2 HPACK integer overflow to cause denial of service on Eclipse Jetty servers through excessive memory allocation, affecting critical infrastructure including Jenkins CI/CD pipelines.
Affected Products
- Eclipse Jetty versions 11.0.0 through 11.0.15
- Eclipse Jetty versions 10.0.0 through 10.0.15
- Eclipse Jetty versions 9.0.0 through 9.4.52
- Jenkins (uses Jetty as embedded server)
- Debian Linux 10.0, 11.0, 12.0
Discovery Timeline
- October 10, 2023 - CVE-2023-36478 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-36478
Vulnerability Analysis
The vulnerability resides in Eclipse Jetty's HTTP/2 HPACK header compression implementation, specifically within the MetaDataBuilder.java file. The checkSize method is designed to validate that header names and values do not exceed configured size limits. However, a critical flaw in the arithmetic logic allows attackers to circumvent these protections.
When processing HPACK-encoded headers with Huffman compression enabled, the code multiplies the header length by 4 (line 295 in affected versions) as part of the size calculation. When an attacker supplies a carefully chosen large positive length value, this multiplication causes an integer overflow, resulting in a negative number. Since Java integers are signed 32-bit values, overflow wraps around to negative territory.
The subsequent size check (_size + length) evaluates to a negative value when length is negative, causing the boundary check on line 296 to pass when it should fail. This allows oversized header values to be accepted by the parser.
Furthermore, the vulnerability has a second exploitable aspect: when the user-controlled size value is later multiplied by 2 during buffer allocation, a negative value (which is actually a very large positive number when interpreted as unsigned) can cause allocation of an enormous buffer, leading to memory exhaustion and denial of service.
Root Cause
The root cause is CWE-190: Integer Overflow or Wraparound. The MetaDataBuilder.checkSize method fails to properly validate integer boundaries before performing arithmetic operations. Specifically:
- The multiplication of the length parameter by 4 (the Huffman fudge factor of 4/3) can overflow when length exceeds approximately 536 million
- No bounds checking is performed before the multiplication to prevent overflow
- The resulting negative value bypasses the intended size limit validation
- Subsequent buffer allocation using the corrupted size value leads to resource exhaustion
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Establishing an HTTP/2 connection to a vulnerable Jetty server
- Sending crafted HPACK-encoded headers with Huffman compression enabled
- Including a length value that, when multiplied by 4, overflows to a negative number
- The negative length bypasses size checks and causes excessive memory allocation
- Repeated exploitation exhausts server memory, causing denial of service
The vulnerability is triggered through malformed HTTP/2 HPACK header frames. The attacker manipulates the header value size field to exploit the integer overflow condition, causing the server to allocate buffers far exceeding intended limits.
Detection Methods for CVE-2023-36478
Indicators of Compromise
- Unusual spikes in memory consumption on Jetty server processes
- HTTP/2 connections with abnormally large or malformed HPACK header frames
- Out-of-memory errors or Java heap exhaustion in Jetty logs
- Server unresponsiveness or crashes following HTTP/2 traffic spikes
Detection Strategies
- Monitor Jetty server memory usage patterns for sudden, unexplained increases during HTTP/2 traffic
- Implement network-level inspection for HTTP/2 HPACK frames with suspiciously large header size declarations
- Configure application performance monitoring (APM) to alert on memory allocation anomalies in the Jetty process
- Review Jetty access logs for connections that result in memory-related exceptions shortly after establishment
Monitoring Recommendations
- Enable verbose logging for HTTP/2 connections on Jetty servers to capture header frame details
- Set up memory threshold alerts at 80% and 90% of allocated heap space for Jetty instances
- Implement connection rate limiting for HTTP/2 to slow potential exploitation attempts
- Deploy network intrusion detection rules targeting malformed HPACK header patterns
How to Mitigate CVE-2023-36478
Immediate Actions Required
- Upgrade Eclipse Jetty to patched versions: 11.0.16, 10.0.16, or 9.4.53 immediately
- If immediate upgrade is not possible, consider temporarily disabling HTTP/2 support to eliminate the attack vector
- Apply available security patches from downstream distributions (Debian DSA-5540)
- Review and update Jenkins installations that embed vulnerable Jetty versions
Patch Information
Eclipse has released patched versions that address the integer overflow vulnerability:
- Jetty 11.x: Upgrade to version 11.0.16 or later
- Jetty 10.x: Upgrade to version 10.0.16 or later
- Jetty 9.x: Upgrade to version 9.4.53 or later
The fix is tracked in GitHub Pull Request #9634. Additional details are available in the GitHub Security Advisory GHSA-wgh7-54f2-x98r.
Debian users should apply updates per DSA-5540 and the Debian LTS announcement.
Workarounds
- No official workarounds are available according to the vendor advisory; upgrading is the only recommended remediation
- As a temporary measure, organizations may consider disabling HTTP/2 support entirely if application requirements permit
- Implement rate limiting and connection throttling at the network perimeter to reduce exploitation impact
- Deploy web application firewalls (WAF) with rules to detect and block anomalous HTTP/2 traffic patterns
# Verify Jetty version after upgrade
java -jar start.jar --version
# Example: Check for vulnerable Jetty in Maven dependencies
mvn dependency:tree | grep jetty
# For Gradle projects
gradle dependencies | grep jetty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
