Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8mpp-f3f7-xc28

Опубликовано: 07 июл. 2022
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Jetty SslConnection does not release pooled ByteBuffers in case of errors

Impact

SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

Workarounds

Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.

With embedded-jetty

int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory); server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start();

With jetty-home/jetty-base

Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml

<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <Arg> <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"> <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg> </New> </Arg> </Call> </Configure>

And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini

etc/retainable-byte-buffer-config.xml

References

https://github.com/eclipse/jetty.project/issues/8161

For more information

Ссылки

Пакеты

Наименование

org.eclipse.jetty:jetty-server

maven
Затронутые версииВерсия исправления

>= 10.0.0, < 10.0.10

10.0.10

Наименование

org.eclipse.jetty:jetty-server

maven
Затронутые версииВерсия исправления

>= 11.0.0, < 11.0.10

11.0.10

EPSS

Процентиль: 66%
0.00522
Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-2191

Дефекты

CWE-404

Связанные уязвимости

ubuntu логотип

CVE-2022-2191

CVSS3: 7.5
ubuntu
около 3 лет назад

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

redhat логотип

CVE-2022-2191

CVSS3: 7.5
redhat
около 3 лет назад

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

nvd логотип

CVE-2022-2191

CVSS3: 7.5
nvd
около 3 лет назад

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

debian логотип

CVE-2022-2191

CVSS3: 7.5
debian
около 3 лет назад

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 v ...

fstec логотип

BDU:2023-05665

CVSS3: 7.5
fstec
около 3 лет назад

Уязвимость компонента SslConnections контейнера сервлетов Eclipse Jetty, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 66%
0.00522
Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-2191

Дефекты

CWE-404