Improper Resource Shutdown or Release Affecting org.eclipse.jetty:jetty-server package, versions [10.0.0,10.0.10) [11.0.0,11.0.10)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGECLIPSEJETTY-2945458
- published 8 Jul 2022
- disclosed 7 Jul 2022
- credit Unknown
Introduced: 7 Jul 2022
CVE-2022-2191 Open this link in a new tabHow to fix?
Upgrade org.eclipse.jetty:jetty-server to version 10.0.10, 11.0.10 or higher.
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Improper Resource Shutdown or Release when SslConnection does not release pooled ByteBuffers in case of errors, results in a memory leak.
Workarounds:
Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked.
Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.
With embedded-jetty:
int maxBucketSize = 1000;
long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB
long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);
server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();
With jetty-home/jetty-base:
Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool">
<Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg>
</New>
</Arg>
</Call>
</Configure>
And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini
etc/retainable-byte-buffer-config.xml