ghsa-8mpp-f3f7-xc28
Vulnerability from github
Impact
SslConnection does not release ByteBuffers in case of error code paths.
For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.
Workarounds
Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked.
Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.
With embedded-jetty
``` java int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);
server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start(); ```
With jetty-home/jetty-base
Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml
``` xml
And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini
etc/retainable-byte-buffer-config.xml
References
https://github.com/eclipse/jetty.project/issues/8161
For more information
- Email us at security@webtide.com
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2191"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T20:55:37Z",
"nvd_published_at": "2022-07-07T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n`SslConnection` does not release `ByteBuffer`s in case of error code paths.\nFor example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.\n\n### Workarounds\nConfigure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.\nEventually the pool will be full of \"active\" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.\n\n_With embedded-jetty_\n\n``` java\nint maxBucketSize = 1000;\nlong maxHeapMemory = 128 * 1024L * 1024L; // 128 MB\nlong maxDirectMemory = 128 * 1024L * 1024L; // 128 MB\nRetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);\n\nserver.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started\nserver.start();\n```\n\n_With jetty-home/jetty-base_\n\nCreate a `${jetty.base}/etc/retainable-byte-buffer-config.xml`\n\n``` xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE Configure PUBLIC \"-//Jetty//Configure//EN\" \"https://www.eclipse.org/jetty/configure_10_0.dtd\"\u003e\n\n\u003cConfigure id=\"Server\" class=\"org.eclipse.jetty.server.Server\"\u003e\n \u003cCall name=\"addBean\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.io.ArrayRetainableByteBufferPool\"\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.minCapacity\" default=\"0\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.factor\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxCapacity\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxBucketSize\" default=\"1000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxHeapMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxDirectMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n \u003c/Call\u003e\n\u003c/Configure\u003e\n```\n\nAnd then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`\n\n```\netc/retainable-byte-buffer-config.xml\n```\n\n\n### References\nhttps://github.com/eclipse/jetty.project/issues/8161\n\n### For more information\n* Email us at [security@webtide.com](mailto:security@webtide.com)\n",
"id": "GHSA-8mpp-f3f7-xc28",
"modified": "2022-08-11T21:31:50Z",
"published": "2022-07-07T20:55:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2191"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project/issues/8161"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220909-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jetty SslConnection does not release pooled ByteBuffers in case of errors"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.