Page 1 of 1

Jetty 9.3.x SSL CVE 100% CPU

Posted: 24 Apr 2021 21:15
by zzz
ref:
https://github.com/eclipse/jetty.projec ... -8j45-3r4w

This only affects you IF:

- You have SSL enabled on your currently running Jetty eepsite (this is not the default)

AND

- You are running a standard install (NOT a Debian/Ubuntu package install)

Workaround:

- Disable SSL on your eepsite until the next release (in the Hidden Services Manager SSL Wizard)

OR

- Build i2p from latest source from gitlab/github, currently 0.9.49-14 (ant updaterWithJetty)

I do NOT recommend attempting to follow the workaround in the link above, it's way too hard.

This would also affect the SSL console, but that's not the default, and if you are allowing untrusted people to access your console, you have worse problems than this.

The fix will be in our next release, 0.9.50.