Jetty 9.3.x SSL CVE 100% CPU

Post Reply
User avatar
zzz
Posts: 152
Joined: 31 Mar 2018 13:15

Jetty 9.3.x SSL CVE 100% CPU

Post by zzz »

ref:
https://github.com/eclipse/jetty.projec ... -8j45-3r4w

This only affects you IF:

- You have SSL enabled on your currently running Jetty eepsite (this is not the default)

AND

- You are running a standard install (NOT a Debian/Ubuntu package install)

Workaround:

- Disable SSL on your eepsite until the next release (in the Hidden Services Manager SSL Wizard)

OR

- Build i2p from latest source from gitlab/github, currently 0.9.49-14 (ant updaterWithJetty)

I do NOT recommend attempting to follow the workaround in the link above, it's way too hard.

This would also affect the SSL console, but that's not the default, and if you are allowing untrusted people to access your console, you have worse problems than this.

The fix will be in our next release, 0.9.50.
Post Reply