CVE-2024-9823: Eclipse Jetty DoS Filter DoS Vulnerability

CVE-2024-9823 Overview

A security vulnerability exists in Eclipse Jetty's DosFilter component that can be exploited by unauthorized users to cause a remote denial-of-service (DoS) attack on servers utilizing the DosFilter functionality. By repeatedly sending crafted requests, attackers can trigger OutOfMemory errors and exhaust the server's memory, ultimately causing service disruption.

Critical Impact
Remote attackers can exploit this vulnerability to exhaust server memory through repeated crafted requests, causing complete service unavailability without requiring authentication.

Affected Products

Eclipse Jetty (multiple versions)
NetApp Bootstrap OS
NetApp HCI Compute Node
NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)

Discovery Timeline

2024-10-14 - CVE-2024-9823 published to NVD
2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-9823

Vulnerability Analysis

This vulnerability affects the DosFilter (Denial of Service Filter) component within Eclipse Jetty, which is ironically designed to protect against DoS attacks. The flaw falls under CWE-400 (Uncontrolled Resource Consumption), indicating that the filter fails to properly limit resource consumption when processing incoming requests. When exploited, the DosFilter component consumes excessive memory resources, ultimately leading to OutOfMemoryError conditions that can crash the Java Virtual Machine or render the application unresponsive.

Root Cause

The root cause of this vulnerability lies in improper resource management within the DosFilter implementation. When processing crafted requests, the filter fails to adequately constrain memory allocation, allowing attackers to force the server into allocating memory without proper bounds checking or cleanup. This uncontrolled resource consumption continues until the JVM's heap is exhausted, triggering an OutOfMemory condition that impacts the entire application.

Attack Vector

The attack leverages the network attack vector, requiring no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending specially crafted HTTP requests to a Jetty server configured with DosFilter enabled. The attack is low complexity—repeated requests systematically exhaust server memory resources. Since the DosFilter is a commonly used component for rate limiting and DoS protection, servers using this feature are particularly vulnerable. The irony of a DoS protection filter being vulnerable to DoS attacks makes this a significant concern for affected deployments.

The vulnerability affects application availability while confidentiality and integrity remain unaffected. Attackers can effectively take down services without gaining access to sensitive data or modifying system state.

Detection Methods for CVE-2024-9823

Indicators of Compromise

Unusual memory consumption patterns on Jetty servers, particularly rapid heap growth
Frequent java.lang.OutOfMemoryError exceptions in application logs
High volume of HTTP requests from single or multiple source IPs targeting DosFilter-protected endpoints
JVM garbage collection overhead spikes preceding service crashes

Detection Strategies

Monitor JVM heap usage metrics for anomalous growth patterns that could indicate memory exhaustion attacks
Implement network-level rate limiting upstream of Jetty to detect and block high-volume request patterns
Configure alerting on OutOfMemoryError occurrences in application and server logs
Deploy application performance monitoring (APM) tools to track DosFilter resource consumption

Monitoring Recommendations

Enable JMX monitoring for Jetty memory pools and garbage collection metrics
Implement centralized log aggregation to correlate memory errors with incoming request patterns
Set threshold-based alerts for heap utilization exceeding normal operational baselines
Monitor connection counts and request rates at the load balancer or reverse proxy level

How to Mitigate CVE-2024-9823

Immediate Actions Required

Review the GitHub Security Advisory for detailed patch information and affected version ranges
Upgrade Eclipse Jetty to a patched version as specified in vendor advisories
Implement upstream rate limiting through load balancers or WAF to reduce attack surface
Monitor server memory utilization closely until patches can be applied

Patch Information

Eclipse has addressed this vulnerability in updated versions of Jetty. Organizations should consult the GitHub Security Advisory for specific version information and upgrade paths. NetApp customers should refer to the NetApp Security Advisory for guidance on affected products including Active IQ Unified Manager. Debian users can find package updates detailed in the Debian LTS Announcement.

Workarounds

Consider temporarily disabling DosFilter if alternative DoS protection mechanisms are available (e.g., WAF, CDN-based protection)
Implement JVM memory limits with appropriate heap size configurations to prevent complete system crashes
Deploy external rate limiting at the network perimeter using load balancers or reverse proxies
Configure connection limits in Jetty to reduce the attack surface for memory exhaustion

bash

# Example JVM memory configuration to limit impact
# Adjust values based on your server capacity
export JAVA_OPTS="-Xmx2g -Xms1g -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/jetty/"

# Example nginx upstream rate limiting (if using nginx as reverse proxy)
# Add to nginx.conf in http block
# limit_req_zone $binary_remote_addr zone=jetty_limit:10m rate=10r/s;
# 
# In location block:
# limit_req zone=jetty_limit burst=20 nodelay;