Critical HTTP/2 DoS Flaw CVE-2023-44487 Forces Major Build Pinning in Eclipse Jetty Project

A critical vulnerability in the Eclipse Jetty project has forced a significant and complex build-system intervention to mitigate a denial-of-service risk. The flaw, CVE-2023-44487, is an HTTP/2 Rapid Reset Attack that allows an attacker to bypass concurrent stream limits and cause a DoS condition through rapid stream cancellations. The necessary patch was only introduced in Jetty version 9.4.54 and later, creating a pressing dependency management crisis for projects built on older branches.

The core fix required pinning the entire build process to a specific, patched branch of the Jetty codebase. The primary change is in the Dockerfile, where the `git clone` command for the `eclipse/jetty.project` repository is now explicitly locked to the `--branch jetty-9.4.x` branch. This ensures the compiled artifact uses the patched version. This pin is critical because the project's `build.sh` script dynamically rewrites all Jetty dependency versions in the `pom.xml` file—including `jetty-http`, `jetty-server`, `jetty-util`, and others—to match the cloned project's version at build time. Without this explicit branch lock, the build defaulted to the incompatible `jetty-12.1.x` branch, which uses different APIs and would break the fuzz targets designed for the 9.4.x series.

This incident highlights the cascading risks in complex, automated build pipelines when a foundational dependency contains a severe security flaw. The mitigation required not just a version bump but a surgical intervention in the build orchestration itself to prevent automatic upgrades to an incompatible major version. It underscores the operational pressure on maintainers to secure systems against network-level DoS attacks while maintaining backward compatibility, a tension point common in widely-used HTTP/2 server implementations.