CVE-2023-40167 Overview
CVE-2023-40167 affects Eclipse Jetty, a Java-based web server and servlet engine. The vulnerability stems from overly permissive parsing of HTTP/1 header fields. Jetty accepts a + character preceding the Content-Length value, which violates RFC 9110 requirements. Most compliant servers reject such requests with HTTP 400 responses.
The issue creates a theoretical HTTP request smuggling risk. If Jetty operates behind or alongside a server that does not close the connection after returning a 400 response, an attacker could exploit the parsing discrepancy. The Eclipse Foundation patched the issue in versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1. The weakness is classified under [CWE-130] (Improper Handling of Length Parameter Inconsistency).
Critical Impact
A parsing discrepancy in Content-Length handling could enable HTTP request smuggling when Jetty is paired with non-compliant upstream or downstream servers.
Affected Products
- Eclipse Jetty versions prior to 9.4.52
- Eclipse Jetty versions prior to 10.0.16, 11.0.16, and 12.0.1 (including 12.0.0 beta releases)
- Debian Linux 10, 11, and 12 distributions packaging affected Jetty versions
Discovery Timeline
- 2023-09-15 - CVE-2023-40167 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-40167
Vulnerability Analysis
The vulnerability resides in Jetty's HTTP/1 header field parser. RFC 9110 Section 8.6 defines Content-Length as a sequence of one or more digits. Jetty's parser deviates from this specification by accepting a leading + sign before the digit sequence.
This permissiveness creates a parsing inconsistency between Jetty and stricter HTTP intermediaries. When two servers in a request chain interpret the same header differently, an attacker can craft requests that appear as one message to the front-end server and a different message to the back-end server. This class of issue is known as HTTP request smuggling.
The Jetty advisory notes there is no known exploit scenario. Successful smuggling requires a paired server that both rejects the request with HTTP 400 and keeps the connection open afterward. Most modern proxies and load balancers close connections following a 400 response, which neutralizes the attack path.
Root Cause
The root cause is lenient input validation in the Content-Length parsing routine. The parser tolerates a leading + character that should produce a parse failure. This falls under [CWE-130], improper handling of length parameter inconsistency.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker submits a crafted HTTP/1 request containing a Content-Length header with a leading + sign, such as Content-Length: +10. The vulnerability has no known practical exploit chain absent a specific upstream server that fails to terminate connections after 400 responses. See the Eclipse Jetty GitHub Security Advisory GHSA-hmr7-m48g-48f6 and RFC 9110 Section 8.6 for the protocol context.
Detection Methods for CVE-2023-40167
Indicators of Compromise
- HTTP/1 requests containing Content-Length header values with a leading + character (e.g., Content-Length: +123)
- Unexpected HTTP 400 responses from upstream proxies followed by anomalous downstream request processing
- Discrepancies between request and response counts across server tiers in the same TCP connection
Detection Strategies
- Deploy web application firewall rules that inspect Content-Length header values and reject non-numeric prefixes
- Enable verbose HTTP request logging on Jetty and front-end proxies to compare parsed header values across the request chain
- Implement protocol conformance checks at network ingress that align with RFC 9110 Section 8.6
Monitoring Recommendations
- Monitor Jetty access logs for malformed header patterns and correlate with upstream proxy 400 responses
- Track connection reuse statistics on intermediaries to identify long-lived connections following error responses
- Forward web tier logs and proxy telemetry into a centralized analytics platform such as Singularity Data Lake to detect cross-tier parsing inconsistencies at scale
How to Mitigate CVE-2023-40167
Immediate Actions Required
- Upgrade Eclipse Jetty to version 9.4.52, 10.0.16, 11.0.16, or 12.0.1 or later, matching the deployed branch
- Inventory all Java applications and embedded servers using Jetty, including transitive dependencies in build manifests
- Apply Debian package updates per DSA-5507 and the Debian LTS Announcement for affected Debian Linux releases
Patch Information
The Eclipse Foundation released fixed builds in Jetty 9.4.52, 10.0.16, 11.0.16, and 12.0.1. The patch enforces strict numeric parsing of the Content-Length header field. Patch details are published in the Eclipse Jetty GitHub Security Advisory GHSA-hmr7-m48g-48f6.
Workarounds
- The vendor states there is no workaround because no practical exploit scenario is known; upgrading remains the recommended remediation
- As a defense-in-depth measure, place a strict RFC-compliant reverse proxy in front of Jetty that closes connections after returning HTTP 400 responses
# Verify installed Jetty version on a Debian-based host
dpkg -l | grep -i jetty
# Upgrade Jetty packages on Debian
sudo apt-get update
sudo apt-get install --only-upgrade jetty9
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
