Bug 2116949 (CVE-2022-2047)

Summary: CVE-2022-2047 jetty-http: improver hostname input handling
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abenaiss, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, cmoulliard, dan.cermak, dandread, darran.lofthouse, dkreling, dosoudil, eglynn, ehelms, emingora, eric.wittmann, fjuma, fmongiar, gmalinko, gsmet, hamadhan, ibek, ikanello, i.ucar86, iweiss, janstey, jjoyce, jnethert, jochrist, jpavlik, jpechane, jrokos, jross, jscholz, jsherril, jwon, kverlaen, lgao, lhh, lpeer, lthon, lzap, mburns, mgarciac, mhulan, mkolesni, mmccune, mmclaugh, mnovotny, mokumar, mosmerov, msochure, msvehla, myarboro, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkieley, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, scohen, sdouglas, smaestri, spower, tom.jenkinson, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jetty-http 9.4.47, jetty-http 10.0.10, jetty-http 11.0.10 Doc Type: ---
Doc Text:
A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This issue can lead to failures in a Proxy scenario.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-21 05:52:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2153386    
Bug Blocks: 2105401    

Description Patrick Del Bello 2022-08-09 15:17:35 UTC
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q

Comment 8 errata-xmlrpc 2023-01-17 11:47:41 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.3.0

Via RHSA-2023:0189 https://access.redhat.com/errata/RHSA-2023:0189

Comment 9 Product Security DevOps Team 2023-01-21 05:52:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2047

Comment 11 errata-xmlrpc 2023-04-05 13:35:10 UTC
This issue has been addressed in the following products:

  AMQ Broker 7.11.0

Via RHSA-2023:1661 https://access.redhat.com/errata/RHSA-2023:1661