Bug 1201316 - (CVE-2022-2048) VUL-0: CVE-2022-2048: jetty-minimal,jetty-websocket,jetty-unixsocket: Invalid HTTP/2 requests can lead to denial of service
(CVE-2022-2048)
VUL-0: CVE-2022-2048: jetty-minimal,jetty-websocket,jetty-unixsocket: Invalid...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/336493/
CVSSv3.1:SUSE:CVE-2022-2048:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-08 08:14 UTC by Hu
Modified: 2022-12-02 08:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-08 08:14:54 UTC
CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid
HTTP/2 request, the error handling has a bug that can wind up not properly
cleaning up the active connections and associated resources. This can lead to a
Denial of Service scenario where there are no enough resources left to process
good requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2048
https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
Comment 1 Hu 2022-07-08 08:15:37 UTC
Fixing commit: https://github.com/eclipse/jetty.project/commit/be912d4315839405a8ae601f2e4ee0306867266e

Affected (Fixing commit applies):
- SUSE:SLE-15-SP2:Update/jetty-minimal          9.4.43
- openSUSE:Factory/jetty-minimal                9.4.46
- openSUSE:Factory/jetty-websocket              9.4.46
- openSUSE:Factory/jetty-unixsocket             9.4.46

Not Affected (Does not contain HttpChannelOverHTTP2.java):
- openSUSE:Factory/jetty-artifact-remote-resources      1.2
- openSUSE:Factory/jetty-build-support                  1.5
- openSUSE:Factory/jetty-distribution-remote-resources  1.2
- openSUSE:Factory/jetty-parent                         25
- openSUSE:Factory/jetty-schemas                        4.0.3
- openSUSE:Factory/jetty-toolchain                      1.7
- openSUSE:Factory/jetty-version-maven-plugin           1.0.10
Comment 3 OBSbugzilla Bot 2022-07-08 16:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1201316) was mentioned in
https://build.opensuse.org/request/show/987945 Factory / jetty-minimal