CVE-2022-2048

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions prior to 9.4.47 Eclipse Jetty versions prior to 10.0.10 Eclipse Jetty versions prior to 11.0.10

Description The issue arises from the incorrect handling of invalid HTTP/2 requests by the Eclipse Jetty HTTP/2 server implementation. When such a request is encountered, the error handling fails to properly clean up active connections and associated resources. This can lead to a Denial of Service scenario where there are not enough resources left to process valid requests. A malicious client may exploit this to render the server unresponsive by exhausting the HTTP/2 flow control window or causing TCP congestion on the connection, thereby blocking the selector thread from writing an error response.

Recommendations For Eclipse Jetty versions prior to 9.4.47, update to version 9.4.47 or later. For Eclipse Jetty versions prior to 10.0.10, update to version 10.0.10 or later. For Eclipse Jetty versions prior to 11.0.10, update to version 11.0.10 or later. As a temporary workaround, consider filtering requests before sending them to Jetty, for example, using a proxy.