Bug 2116953 (CVE-2022-2191)

Summary: CVE-2022-2191 jetty-server: Improper release of ByteBuffers in SslConnections
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, cmoulliard, dan.cermak, dandread, darran.lofthouse, dkreling, dosoudil, eglynn, ehelms, emingora, eric.wittmann, fjuma, fmongiar, gmalinko, gsmet, hamadhan, ibek, ikanello, i.ucar86, iweiss, janstey, jjoyce, jnethert, jochrist, jpavlik, jpechane, jrokos, jross, jscholz, jsherril, jwon, kverlaen, lgao, lhh, lpeer, lthon, lzap, mburns, mgarciac, mhulan, mkolesni, mmccune, mmclaugh, mnovotny, mokumar, mosmerov, msochure, msvehla, myarboro, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkieley, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, scohen, sdouglas, smaestri, spower, tom.jenkinson, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jetty-server 10.0.10, jetty-server 11.0.10 Doc Type: ---
Doc Text:
A flaw was found in the Jetty-server package. This flaw allows an attacker to send invalid requests, causing a denial of service in the Jetty Server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-21 06:22:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2105401    

Description Patrick Del Bello 2022-08-09 15:27:38 UTC 
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
Comment 3 Borja Tarraso 2022-08-17 12:43:52 UTC 
Based on https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623 this issue is not affecting jetty 9.4.x versions.
Comment 9 errata-xmlrpc 2023-01-17 11:47:44 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.3.0

Via RHSA-2023:0189 https://access.redhat.com/errata/RHSA-2023:0189
Comment 11 Product Security DevOps Team 2023-01-21 06:22:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2191