The Eclipse Foundation Security Team has been made aware of the vulnerability VU#421644 affecting multiple HTTP/2 implementations, that could cause an out-of-memory crash. The crash could happen if there is an insufficient limit on insufficient limitation of the number of CONTINUATION frames in one stream. The description of the issue with links to various CVEs assigned is available from https://kb.cert.org/vuls/id/421644
Potentially affected Eclipse project teams have performed their analysis, and the results are as follows:
- Eclipse Jetty is not affected by the vulnerability. The following versions have been tested and are shown to be safe:
- Eclipse Jetty - 12.0.7 (currently supported version)
- Eclipse Jetty - 11.0.20 (now at End of Community Support)
- Eclipse Jetty - 10.0.20 (now at End of Community Support)
- Eclipse Jetty - 9.4.54 (now at End of Community Support)
Eclipse Vert.X is not affected by the vulnerability
As multiple popular projects are affected (including Apache HTTPD, the Go language, the nghttp2 library, and more), we recommend all projects review their dependency list and follow their recommendations for updates or configuration changes.
Eclipse Foundation Security Team