Urgent SUSE Linux security update: Patch CVE-2025-5115 in Jetty-minimal now. This critical HTTP/2 vulnerability (CVSS 8.7) allows remote DoS attacks. Learn which SUSE & openSUSE products are affected and get the exact zypper commands to secure your enterprise servers immediately.
A high-severity security flaw has been identified in the Jetty-minimal web server component, threatening the stability of numerous SUSE Linux Enterprise and openSUSE systems. Designated as CVE-2025-5115, this vulnerability poses a significant risk of Denial-of-Service (DoS) attacks, potentially crippling enterprise applications and infrastructure services.
This urgent security bulletin provides a comprehensive analysis of the threat, a complete list of affected systems, and immediate mitigation steps to protect your environment.
For system administrators and DevOps engineers, understanding the scope and patching procedure is not just recommended—it's essential for maintaining operational integrity.
Understanding the CVE-2025-5115 Vulnerability: A MadeYouReset Attack
At its core, CVE-2025-5115 is a protocol-level weakness within the Jetty web server's handling of HTTP/2 connections. But what does that mean for your network security? Attackers can exploit this flaw by sending a specially crafted sequence of HTTP/2 frames, forcing the server to reset critical internal streams.
This ultimately leads to a catastrophic consumption of server resources, rendering the service unresponsive—a classic Denial-of-Service condition.
This threat is particularly severe because it can also be exploited through DNS over HTTPS (DoH) endpoints, broadening the potential attack surface. The vulnerability has received an "important" rating from SUSE, with CVSS v4.0 scores reaching as high as 8.7 (SUSE) and 7.7 (NVD), underscoring its critical nature.
Such a high CVSS score typically signals a vulnerability that is easy to exploit remotely with no authentication required, making patching an urgent priority for any enterprise security team.
Who is Affected? Complete List of Vulnerable SUSE Products
The scope of this jetty-minimal update is extensive, impacting a wide range of SUSE's product ecosystem. If your organization leverages any of the following operating systems or modules, you are likely vulnerable and must take action:
openSUSE Leap 15.6
SUSE Linux Enterprise Server (Versions 15 SP3, SP4, SP5, SP6, SP7 and their LTSS variants)
SUSE Linux Enterprise Server for SAP Applications (Versions 15 SP3, SP4, SP5, SP6, SP7)
SUSE Linux Enterprise Desktop (15 SP6, SP7)
SUSE Linux Enterprise High Performance Computing (15 SP3, SP4, SP5 and their ESPOS/LTSS variants)
SUSE Enterprise Storage 7.1
Development Tools Module (15-SP6, 15-SP7)
SUSE Package Hub 15 (15-SP6, 15-SP7)
SUSE Linux Enterprise Real Time (15 SP6, SP7)
This comprehensive coverage means nearly every modern SUSE deployment could be at risk. The common element is the use of a vulnerable version of the jetty-minimal package or its dependencies.
Immediate Action: How to Patch CVE-2025-5115
Patching this critical vulnerability is a straightforward process using SUSE's standard package management tools. The update upgrades Jetty-minimal to version 9.4.58.v20250814, which contains the necessary fixes.
Recommended Patching Methods:
YaST Online Update: The simplest graphical method for single servers.
zypper patchCommand: The most efficient and recommended command-line method for applying all necessary security patches.Product-Specific
zypper inCommand: For targeted updates, use the exact command for your product listed below.
Patch Installation Commands by Product
Execute the following command in your terminal based on your specific SUSE product:
openSUSE Leap 15.6:
zypper in -t patch openSUSE-SLE-15.6-2025-2993=1SUSE Linux Enterprise Server 15 SP6:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-2025-2993=1SUSE Linux Enterprise Server for SAP Applications 15 SP6:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2025-2993=1
*(Note: The original text contained a lengthy list of all products and commands. In a real-world blog post, you would include the most common 5-7 and then link to the official SUSE bulletin for the full, exhaustive list. This improves readability while maintaining authority.)*
After running the update, remember to restart any services dependent on the Jetty web server to ensure the updated libraries are loaded into memory. For containerized environments, you will need to rebuild your images using the patched base images from the SUSE registry.
The Bigger Picture: Why Web Server Security is Non-Negotiable
This incident is a stark reminder of the critical role that embedded web servers like Jetty play in modern IT infrastructure. They are not just for serving websites; they are integral components in everything from development tools and SAP applications to high-performance computing clusters and storage systems.
A vulnerability in a single library can have cascading effects across an entire enterprise.
Proactive security hygiene, including subscribing to vendor security announcements and maintaining a regular patching cadence, is the most effective defense against such threats.
The high CVSS score and low attack complexity of CVE-2025-5115 mean that exploit attempts are likely to be automated and widespread soon.
Frequently Asked Questions (FAQ)
Q1: What is the real-world impact of this "MadeYouReset" DoS attack?
A: An unpatched server could be taken completely offline by a remote attacker, leading to application downtime, loss of productivity, and potential revenue loss for customer-facing services.
Q2: I don't use HTTP/2 on my server. Am I still vulnerable?
A: If the Jetty component is present and enabled, the vulnerability may still be reachable, especially through DNS over HTTPS features. The safest course of action is to apply the patch regardless of your current protocol usage.
Q3: Are other operating systems like Red Hat or Ubuntu also affected?
A: This vulnerability is in the Eclipse Jetty project itself. While this bulletin addresses SUSE's distribution of it, other Linux distributions that package a vulnerable version of Jetty are also affected. You should check your respective vendor's advisories.
Q4: Where can I find more technical details about this CVE?
A: You can read the official CVE details on the SUSE security page and track the original bug report on SUSE Bugzilla #1244252.
Conclusion: Secure Your Systems Immediately
The CVE-2025-5115 vulnerability in Jetty-minimal is a serious and urgent threat to business continuity. With a high CVSS score and the potential for complete service disruption, it demands immediate attention from IT and security teams.
The patching process is simple and low-risk, leveraging SUSE's robust update infrastructure.
Do not delay—review your asset inventory for affected systems today and deploy this critical security patch to mitigate the risk of a disruptive Denial-of-Service attack. Your first line of defense is a proactive and informed response.
Nenhum comentário:
Postar um comentário