CVE-2021-28165: 
Java vulnerability analysis and mitigation

CVE-2021-28165 affects Eclipse Jetty versions 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1. The vulnerability was discovered in March 2021 and publicly disclosed in April 2021 (MITRE CVE, NVD).

The vulnerability occurs when the server receives an invalid large TLS frame (greater than 17408 bytes) that is incorrectly handled by Jetty. When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large TLS frame that causes CPU resources to eventually reach 100% usage (GitHub Advisory).

When successfully exploited, this vulnerability can lead to a denial of service condition by causing the CPU usage to reach 100% when Jetty is configured to handle SSL/TLS connections (Jenkins Advisory).

The vulnerability was fixed in Jetty versions 9.4.39, 10.0.2, and 11.0.2. Organizations should upgrade to these or later versions. A workaround is available through implementing a custom SslConnectionFactory class that checks buffer space and clears the input on overflow (GitHub Advisory).

Multiple organizations and projects responded to this vulnerability by releasing updates, including Jenkins which released version 2.277.3 to address the vulnerability, and Apache projects like Kafka, Spark, and Zookeeper which updated their Jetty dependencies (Jenkins Advisory).