7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2191

GHSA ID

GHSA-8mpp-f3f7-xc28

EPSS Score

0.63522%

CWE

CWE-404

Published

7/7/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2191

CVE-2022-2191: Jetty SslConnection does not release pooled ByteBuffers in case of errors

Impact

SslConnection does not release ByteBuffers in case of error code paths. For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffers used to process the TLS handshake will be leaked.

Workarounds

Configure explicitly a RetainableByteBufferPool with max[Heap|Direct]Memory to limit the amount of memory that is leaked. Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffers that will be GCed normally.

With embedded-jetty

int maxBucketSize = 1000;
long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB
long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);

server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();

With jetty-home/jetty-base

Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Call name="addBean">
    <Arg>
      <New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool">
        <Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg>
        <Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg>
        <Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg>
        <Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg>
      </New>
    </Arg>
  </Call>
</Configure>

And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini

etc/retainable-byte-buffer-config.xml

References

https://github.com/eclipse/jetty.project/issues/8161

For more information

Email us at security@webtide.com

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2191

GHSA ID

GHSA-8mpp-f3f7-xc28

EPSS Score

0.63522%

CWE

CWE-404

Published

7/7/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-server	maven	>= 11.0.0, < 11.0.10	11.0.10
org.eclipse.jetty:jetty-server	maven	>= 10.0.0, < 10.0.10	10.0.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from SslConnection's failure to release pooled ByteBuffers during error handling. The core issue occurs in SSL processing paths where:

Buffers are acquired from RetainableByteBufferPool
Error conditions (like TLS handshake failures) occur
Buffers are not properly released back to the pool

While exact line numbers aren't available, the advisory specifically implicates SslConnection error paths. The DecryptedEndPoint's fill() and flush() methods are critical SSL processing points where buffer acquisition occurs. The vulnerability pattern matches common SSL handler implementations where buffer release might be missed in exception handling blocks. The high confidence comes from the direct correlation between the vulnerability description and these core SSL processing methods in Jetty's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `Ssl*onn**tion` *o*s not r*l**s* `*yt**u***r`s in **s* o* *rror *o** p*t*s. *or *x*mpl*, TLS **n*s**k*s t**t r*quir* *li*nt-*ut* wit* *li*nts t**t s*n* *xpir** **rti*i**t*s will tri***r * TLS **n*s**k* *rrors *n* t** `*yt**u***r`s us** to

Reasoning

T** vuln*r**ility st*ms *rom Ssl*onn**tion's **ilur* to r*l**s* pool** *yt**u***rs *urin* *rror **n*lin*. T** *or* issu* o**urs in SSL pro**ssin* p*t*s w**r*: *. *u***rs *r* **quir** *rom R*t*in**l**yt**u***rPool *. *rror *on*itions (lik* TLS **n*s*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-2191: Jetty SslConnection does not release pooled ByteBuffers in case of errors

Impact

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI