Bugzilla – Bug 1201316
VUL-0: CVE-2022-2048: jetty-minimal,jetty-websocket,jetty-unixsocket: Invalid HTTP/2 requests can lead to denial of service
Last modified: 2022-12-02 08:42:13 UTC
CVE-2022-2048 In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2048 https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
Fixing commit: https://github.com/eclipse/jetty.project/commit/be912d4315839405a8ae601f2e4ee0306867266e Affected (Fixing commit applies): - SUSE:SLE-15-SP2:Update/jetty-minimal 9.4.43 - openSUSE:Factory/jetty-minimal 9.4.46 - openSUSE:Factory/jetty-websocket 9.4.46 - openSUSE:Factory/jetty-unixsocket 9.4.46 Not Affected (Does not contain HttpChannelOverHTTP2.java): - openSUSE:Factory/jetty-artifact-remote-resources 1.2 - openSUSE:Factory/jetty-build-support 1.5 - openSUSE:Factory/jetty-distribution-remote-resources 1.2 - openSUSE:Factory/jetty-parent 25 - openSUSE:Factory/jetty-schemas 4.0.3 - openSUSE:Factory/jetty-toolchain 1.7 - openSUSE:Factory/jetty-version-maven-plugin 1.0.10
This is an autogenerated message for OBS integration: This bug (1201316) was mentioned in https://build.opensuse.org/request/show/987945 Factory / jetty-minimal