Improper Resource Shutdown or Release Affecting org.eclipse.jetty:jetty-server package, versions [10.0.0,10.0.10)[11.0.0,11.0.10)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGECLIPSEJETTY-2945458
- published8 Jul 2022
- disclosed7 Jul 2022
- creditUnknown
Introduced: 7 Jul 2022
CVE-2022-2191 (opens in a new tab)How to fix?
Upgrade org.eclipse.jetty:jetty-server to version 10.0.10, 11.0.10 or higher.
Overview
org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
Affected versions of this package are vulnerable to Improper Resource Shutdown or Release when SslConnection does not release pooled ByteBuffers in case of errors, results in a memory leak.
Workarounds:
Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked.
Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.
With embedded-jetty:
int maxBucketSize = 1000; long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);
server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started server.start();
With jetty-home/jetty-base:
Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addBean"> <Arg> <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool"> <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg> <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg> <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg> </New> </Arg> </Call> </Configure>
And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini
etc/retainable-byte-buffer-config.xml