Описание
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients.
Отчет
The issue in Jetty where HTTP/2 connections can enter a congested, idle state and potentially exhaust server file descriptors represents a moderate severity due to its impact on system resources and service availability. While the vulnerability requires the deliberate creation of numerous congested connections by an attacker, its exploitation can lead to denial-of-service conditions by consuming all available file descriptors. This scenario could disrupt legitimate client connections and impair server responsiveness.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | jetty | Not affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | jetty | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | jetty | Out of support scope | ||
| Red Hat Data Grid 8 | jetty | Not affected | ||
| Red Hat Enterprise Linux 7 | jetty | Out of support scope | ||
| Red Hat Fuse 7 | jetty | Affected | ||
| Red Hat Integration Camel K 1 | jetty | Will not fix | ||
| Red Hat Integration Camel Quarkus 2 | jetty | Not affected | ||
| Red Hat JBoss Data Grid 7 | jetty | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | jetty | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL con ...
7.5 High
CVSS3