CVE-2024-9823: 
Java vulnerability analysis and mitigation

A security vulnerability was discovered in Jetty's DosFilter (CVE-2024-9823) that can be exploited by unauthorized users to cause remote denial-of-service (DoS) attacks. The vulnerability affects multiple versions of Jetty, including versions >=9.0.0,<9.4.54, >=10.0.0,<10.0.18, >=11.0.0,<11.0.18, and >=12.0.0,<12.0.3. The issue was disclosed on October 14, 2024, and received a CVSS v3.1 base score of 5.3 (Medium) (Eclipse Advisory).

The vulnerability exists in the DoSFilter component, which is designed to protect web applications against DoS attacks by monitoring and tracking client request patterns. The internal tracking of requests in DoSFilter can lead to an OutOfMemory condition. The issue is tracked as CWE-400 (Uncontrolled Resource Consumption) and has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (Eclipse Advisory).

When exploited, attackers can trigger OutOfMemory errors by repeatedly sending crafted requests, ultimately exhausting the server's memory. This is particularly impactful for systems that have not configured session passivation or an aggressive session inactivation timeout (Eclipse Advisory).

The vulnerability has been patched in versions 9.4.54, 10.0.18, 11.0.18, and 12.0.3. As a workaround, users can configure the DoSFilter to not use sessions for tracking usage by setting the trackSessions init parameter to false, which will then use only the IP tracking mechanism. Additionally, sessions can be configured to have aggressive passivation or inactivation limits (Eclipse Advisory).