GHSA-8mpp-f3f7-xc28

Source

https://github.com/advisories/GHSA-8mpp-f3f7-xc28

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8mpp-f3f7-xc28

Aliases

CVE-2022-2191

Related

CVE-2022-2191

Published

2022-07-07T20:55:37Z

Modified

2024-02-22T05:18:31.237834Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Jetty SslConnection does not release pooled ByteBuffers in case of errors

Details

Impact

SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

Workarounds

Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.

With embedded-jetty

int maxBucketSize = 1000;
long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB
long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);

server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();

With jetty-home/jetty-base

Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Call name="addBean">
    <Arg>
      <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool">
        <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg>
        <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg>
        <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg>
      </New>
    </Arg>
  </Call>
</Configure>

And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini

etc/retainable-byte-buffer-config.xml

References

https://github.com/eclipse/jetty.project/issues/8161

For more information

Email us at security@webtide.com

Database specific

{
    "nvd_published_at": "2022-07-07T21:15:00Z",
    "github_reviewed_at": "2022-07-07T20:55:37Z",
    "cwe_ids": [
        "CWE-404"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.0.10

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.0.10

Affected versions

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9