CVE-2022-2191

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 10.0.0 through 10.0.9 Eclipse Jetty versions 11.0.0 through 11.0.9

Description The issue is related to the SslConnection component of the Eclipse Jetty servlet container, which is associated with resource release errors. Exploitation of this issue may allow a remote attacker to cause a denial of service. In case of error code paths, SslConnection does not release ByteBuffers from the configured ByteBufferPool. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

Recommendations For Eclipse Jetty versions 10.0.0 through 10.0.9 and 11.0.0 through 11.0.9, configure explicitly a RetainableByteBufferPool with maxHeapMemory and maxDirectMemory to limit the amount of memory that is leaked. As a temporary workaround, consider configuring the RetainableByteBufferPool to limit the memory leak, by setting maxHeapMemory and maxDirectMemory, for example, to 128 MB. With embedded-jetty, create a new ArrayRetainableByteBufferPool and add it to the server before starting it. With jetty-home/jetty-base, create a retainable-byte-buffer-config.xml file in the ${jetty.base}/etc directory and reference it in the ${jetty.base}/start.d/retainable-byte-buffer-config.ini file. At the moment, there is no information about a newer version that contains a fix for this vulnerability.