ghsa-8mpp-f3f7-xc28
Vulnerability from github
Published
2022-07-07 20:55
Modified
2022-08-11 21:31
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Jetty SslConnection does not release pooled ByteBuffers in case of errors
Details

Impact

SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

Workarounds

Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.

With embedded-jetty

``` java int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);

server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start(); ```

With jetty-home/jetty-base

Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml

``` xml

```

And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini

etc/retainable-byte-buffer-config.xml

References

https://github.com/eclipse/jetty.project/issues/8161

For more information

Show details on source website

To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "Maven",
            name: "org.eclipse.jetty:jetty-server",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "10.0.0",
                  },
                  {
                     fixed: "10.0.10",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Maven",
            name: "org.eclipse.jetty:jetty-server",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "11.0.0",
                  },
                  {
                     fixed: "11.0.10",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2022-2191",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-404",
      ],
      github_reviewed: true,
      github_reviewed_at: "2022-07-07T20:55:37Z",
      nvd_published_at: "2022-07-07T21:15:00Z",
      severity: "HIGH",
   },
   details: "### Impact\n`SslConnection` does not release `ByteBuffer`s in case of error code paths.\nFor example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.\n\n### Workarounds\nConfigure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.\nEventually the pool will be full of \"active\" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.\n\n_With embedded-jetty_\n\n``` java\nint maxBucketSize = 1000;\nlong maxHeapMemory = 128 * 1024L * 1024L; // 128 MB\nlong maxDirectMemory = 128 * 1024L * 1024L; // 128 MB\nRetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);\n\nserver.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started\nserver.start();\n```\n\n_With jetty-home/jetty-base_\n\nCreate a `${jetty.base}/etc/retainable-byte-buffer-config.xml`\n\n``` xml\n<?xml version=\"1.0\"?>\n<!DOCTYPE Configure PUBLIC \"-//Jetty//Configure//EN\" \"https://www.eclipse.org/jetty/configure_10_0.dtd\">\n\n<Configure id=\"Server\" class=\"org.eclipse.jetty.server.Server\">\n  <Call name=\"addBean\">\n    <Arg>\n      <New class=\"org.eclipse.jetty.io.ArrayRetainableByteBufferPool\">\n        <Arg type=\"int\"><Property name=\"jetty.byteBufferPool.minCapacity\" default=\"0\"/></Arg>\n        <Arg type=\"int\"><Property name=\"jetty.byteBufferPool.factor\" default=\"-1\"/></Arg>\n        <Arg type=\"int\"><Property name=\"jetty.byteBufferPool.maxCapacity\" default=\"-1\"/></Arg>\n        <Arg type=\"int\"><Property name=\"jetty.byteBufferPool.maxBucketSize\" default=\"1000\"/></Arg>\n        <Arg type=\"long\"><Property name=\"jetty.byteBufferPool.maxHeapMemory\" default=\"128000000\"/></Arg>\n        <Arg type=\"long\"><Property name=\"jetty.byteBufferPool.maxDirectMemory\" default=\"128000000\"/></Arg>\n      </New>\n    </Arg>\n  </Call>\n</Configure>\n```\n\nAnd then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`\n\n```\netc/retainable-byte-buffer-config.xml\n```\n\n\n### References\nhttps://github.com/eclipse/jetty.project/issues/8161\n\n### For more information\n* Email us at [security@webtide.com](mailto:security@webtide.com)\n",
   id: "GHSA-8mpp-f3f7-xc28",
   modified: "2022-08-11T21:31:50Z",
   published: "2022-07-07T20:55:37Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2191",
      },
      {
         type: "WEB",
         url: "https://github.com/eclipse/jetty.project/issues/8161",
      },
      {
         type: "WEB",
         url: "https://github.com/eclipse/jetty.project",
      },
      {
         type: "WEB",
         url: "https://security.netapp.com/advisory/ntap-20220909-0003",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
   summary: "Jetty SslConnection does not release pooled ByteBuffers in case of errors",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.