Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve SSLConnection buffers handling (CVE-2022-2191) #8161

Closed
lorban opened this issue Jun 13, 2022 · 7 comments · Fixed by Consensys/tessera#1463
Closed

Improve SSLConnection buffers handling (CVE-2022-2191) #8161

lorban opened this issue Jun 13, 2022 · 7 comments · Fixed by Consensys/tessera#1463
Assignees
Labels
Bug For general bugs on Jetty side Security Sponsored This issue affects a user with a commercial support agreement

Comments

@lorban
Copy link
Contributor

lorban commented Jun 13, 2022

Jetty version(s)
10+

Description
SSLConnection's buffers utilization and their pooling should be reviewed.

Fixes Security Advisory
GHSA-8mpp-f3f7-xc28
CVE-2022-2191

@lorban lorban added the Bug For general bugs on Jetty side label Jun 13, 2022
@lorban lorban self-assigned this Jun 13, 2022
@lorban lorban added this to To do in Jetty 10.0.10/11.0.10 - 🧊 FROZEN 🥶 via automation Jun 13, 2022
@lorban lorban added the Sponsored This issue affects a user with a commercial support agreement label Jun 13, 2022
lorban added a commit that referenced this issue Jun 14, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 14, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 14, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
Jetty 10.0.10/11.0.10 - 🧊 FROZEN 🥶 automation moved this from To do to Done Jun 15, 2022
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
lorban added a commit that referenced this issue Jun 15, 2022
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@joakime
Copy link
Contributor

joakime commented Jul 5, 2022

In light of discoveries during this review, a better combined ByteBufferPool with easier to configure setup was just merged in PR #8171, due for the next Jetty 10.0.x release.

@joakime joakime changed the title Improve SSLConnection buffers handling Improve SSLConnection buffers handling (CVE-2022-2191) Jul 7, 2022
@AB-xdev
Copy link

AB-xdev commented Jul 8, 2022

Does this also affect Jetty 9.x?

According to the issue description this is only relevant for Jetty 10+ but the advisory says <= 10.0.9 which also includes version 9.x.

@lorban
Copy link
Contributor Author

lorban commented Jul 8, 2022

No, it does not affect any 9.4.x version.

@joakime
Copy link
Contributor

joakime commented Jul 8, 2022

According to the issue description this is only relevant for Jetty 10+ but the advisory says <= 10.0.9 which also includes version 9.x.

Good catch!

We'll update the advisory version range.

@kadinwu
Copy link

kadinwu commented Jul 11, 2022

affected versions in github advisories [(https://github.com/advisories/GHSA-8mpp-f3f7-xc28)] has < 10.0.10.
does it really affect 9.x versions?

@joakime
Copy link
Contributor

joakime commented Jul 11, 2022

affected versions in github advisories GHSA-8mpp-f3f7-xc28 has < 10.0.10.
does it really affect 9.x versions?

See prior comments, and our advisory (the master database at github has not been updated yet):

Also, Jetty 9.4.x is now at End of Community Support, you are strongly encouraged to upgrade to Jetty 10+ as soon as possible.

See:

@joakime
Copy link
Contributor

joakime commented Jul 12, 2022

The github advisory database version of CVE-2022-2191 has its version range updated.
GHSA-8mpp-f3f7-xc28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For general bugs on Jetty side Security Sponsored This issue affects a user with a commercial support agreement
Projects
No open projects
Development

Successfully merging a pull request may close this issue.

4 participants