gerrit
Behoben in
2.15.22
2.16.26
3.0.16
3.1.12
3.2.7
3.3.2
CVE-2021-22553 describes a memory exhaustion vulnerability in Gerrit Code Review Server. Repeated Git operations, passed through Jetty, create persistent sessions without expiry, ultimately leading to a denial-of-service condition due to excessive memory consumption. This vulnerability affects Gerrit versions 3.3.2 and earlier. A fix is available in version 3.3.2.
The primary impact of CVE-2021-22553 is a denial-of-service (DoS) condition. An attacker, or even a legitimate user performing numerous Git operations, can trigger the creation of an excessive number of Jetty sessions. Because these sessions lack an expiry mechanism, they accumulate in memory. This relentless accumulation eventually exhausts the server's available memory, causing Gerrit to become unresponsive or crash. The blast radius extends to all users relying on the affected Gerrit instance for code review and collaboration, potentially disrupting development workflows and delaying releases. The vulnerability's ease of triggering, combined with the potential for widespread disruption, makes it a significant concern.
CVE-2021-22553 was publicly disclosed on February 17, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been released, although the vulnerability's nature makes it relatively straightforward to reproduce. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Gerrit for code review, particularly those with large development teams or frequent Git activity, are at increased risk. Environments with limited server resources or inadequate monitoring practices are also more vulnerable. Teams using older Gerrit versions without robust session management configurations are particularly exposed.
• java / server:
ps -ef | grep gerrit | grep -v grep | awk '{print $2}' | xargs -I {} jstat -gc {} 2>&1 | grep -i 'HeapUsage' • java / server: Monitor Gerrit's memory usage using tools like JConsole or VisualVM. Look for steadily increasing heap usage without corresponding decreases. • java / server: Check Gerrit's Jetty configuration for session timeout settings. Ensure that session timeouts are properly configured to prevent unbounded session creation. • java / server: Review Gerrit logs for errors related to memory allocation or Jetty session management.
disclosure
Exploit-Status
EPSS
0.09% (26% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2021-22553 is to immediately upgrade Gerrit to version 3.3.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While not a complete solution, limiting the number of concurrent Git operations or implementing session timeouts within the Jetty configuration might reduce the rate of session creation. Monitor Gerrit server memory usage closely and proactively restart the server if memory consumption approaches critical levels. After upgrading, confirm the fix by performing a series of Git operations and verifying that memory usage remains stable.
Actualice Gerrit a la versión 2.15.22, 2.16.26, 3.0.16, 3.1.12, 3.2.7 o 3.3.2, o a una versión posterior. Esto corrige el problema de agotamiento de memoria heap causado por sesiones Jetty no expiradas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-22553 is a medium severity vulnerability affecting Gerrit versions 3.3.2 and earlier. Repeated Git operations create unbounded Jetty sessions, leading to heap memory exhaustion and potential denial of service.
If you are using Gerrit versions 3.3.2 or earlier, you are affected by this vulnerability. Upgrade to version 3.3.2 or later to mitigate the risk.
The recommended fix is to upgrade Gerrit to version 3.3.2 or later. If an immediate upgrade is not possible, consider temporary workarounds like limiting Git operations or implementing session timeouts.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-22553, but the vulnerability's nature makes it relatively easy to reproduce.
Refer to the official Gerrit security advisory for detailed information and instructions: https://groups.google.com/g/gerrit-announce/c/Vv-wz1-w_2Q
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.