Bug 2116952 (CVE-2022-2048)

Summary: CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, asoldano, ataylor, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, eglynn, fjuma, fmongiar, gmalinko, gsmet, hamadhan, iweiss, janstey, jburrell, jjoyce, jnethert, jochrist, jpavlik, jpechane, jross, jscholz, jwon, lgao, lhh, lpeer, lthon, mburns, mgarciac, mkolesni, mmclaugh, mokumar, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rkieley, rruss, rstancel, rsvoboda, sbiarozk, scohen, sdouglas, smaestri, spower, tom.jenkinson, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: http2-server 9.4.47, http2-server 10.0.10, http2-server 11.0.10 Doc Type: ---
Doc Text:
A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-08 22:33:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2105401    

Description Patrick Del Bello 2022-08-09 15:23:10 UTC 
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly
cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
Comment 8 errata-xmlrpc 2022-11-28 14:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 9 Product Security DevOps Team 2022-12-08 22:33:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2048
Comment 10 errata-xmlrpc 2023-01-12 16:46:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2023:0017 https://access.redhat.com/errata/RHSA-2023:0017
Comment 11 errata-xmlrpc 2023-01-17 11:47:41 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.3.0

Via RHSA-2023:0189 https://access.redhat.com/errata/RHSA-2023:0189
Comment 12 errata-xmlrpc 2023-02-22 23:58:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777
Comment 13 errata-xmlrpc 2023-06-19 10:12:56 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663