CVE-2022-2191 Overview
In Eclipse Jetty versions 10.0.0 through 10.0.9 and 11.0.0 through 11.0.9, the SslConnection component fails to properly release ByteBuffers back to the configured ByteBufferPool when error code paths are triggered. This memory leak vulnerability can be exploited remotely to cause a Denial of Service (DoS) condition by exhausting server memory resources.
Critical Impact
Remote attackers can exploit this memory leak vulnerability to exhaust server memory, causing application crashes and service unavailability without requiring authentication.
Affected Products
- Eclipse Jetty versions 10.0.0 through 10.0.9
- Eclipse Jetty versions 11.0.0 through 11.0.9
Discovery Timeline
- 2022-07-07 - CVE-2022-2191 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-2191
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The flaw resides in the SslConnection class within Eclipse Jetty's SSL/TLS handling implementation. When SSL connections encounter error conditions during processing, the allocated ByteBuffer objects are not properly returned to the ByteBufferPool.
The ByteBufferPool in Jetty is designed to efficiently manage memory by reusing buffer objects rather than constantly allocating and deallocating memory. When error paths in SslConnection fail to release these buffers, the pool's available capacity diminishes with each failed connection attempt.
An attacker can exploit this vulnerability by initiating numerous SSL/TLS connections that deliberately trigger error conditions. Over time, this causes progressive memory exhaustion as buffers accumulate without being reclaimed.
Root Cause
The root cause lies in improper resource management within the SslConnection error handling logic. When SSL handshake failures or other connection errors occur, the code paths responsible for handling these exceptions do not include proper cleanup logic to return allocated ByteBuffer instances to the pool. This violates the resource acquisition and release pattern expected by Jetty's memory management system.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can remotely target the SSL/TLS endpoint of a Jetty server by:
- Establishing multiple SSL/TLS connections to the target server
- Intentionally triggering error conditions during the SSL handshake or connection phase
- Repeating this process to progressively exhaust the server's ByteBufferPool and available memory
- Eventually causing the server to become unresponsive or crash due to memory exhaustion
The vulnerability is particularly dangerous because it can be exploited from any network location with access to the Jetty server's HTTPS port.
Detection Methods for CVE-2022-2191
Indicators of Compromise
- Unusual increase in memory consumption on servers running Jetty 10.0.0-10.0.9 or 11.0.0-11.0.9
- High volume of failed SSL/TLS handshake attempts in server logs
- OutOfMemoryError exceptions in Jetty application logs
- Gradual performance degradation followed by service unavailability
Detection Strategies
- Monitor JVM heap memory usage for Jetty instances and alert on sustained upward trends without corresponding traffic increases
- Implement log analysis to detect anomalous patterns of SSL/TLS connection failures from single or distributed sources
- Configure application performance monitoring (APM) to track ByteBufferPool utilization metrics
- Deploy intrusion detection rules to identify rapid SSL connection cycling behavior
Monitoring Recommendations
- Enable JMX monitoring for Jetty's ByteBufferPool to track buffer allocation and release patterns
- Set up alerting thresholds for memory utilization exceeding normal operational baselines
- Review SSL connection logs regularly for patterns indicating exploitation attempts
- Implement rate limiting on SSL/TLS connection attempts per source IP
How to Mitigate CVE-2022-2191
Immediate Actions Required
- Upgrade Eclipse Jetty to version 10.0.10 or later for the 10.x branch
- Upgrade Eclipse Jetty to version 11.0.10 or later for the 11.x branch
- If immediate patching is not possible, implement connection rate limiting at the network level
- Monitor memory consumption closely until patches can be applied
Patch Information
Eclipse has addressed this vulnerability in Jetty versions 10.0.10 and 11.0.10. The fix ensures that ByteBuffer objects are properly released back to the ByteBufferPool even when error conditions are encountered in SslConnection.
For detailed patch information and upgrade guidance, refer to the GitHub Security Advisory GHSA-8mpp-f3f7-xc28. Additional vendor advisories are available from the NetApp Security Advisory.
Workarounds
- Implement network-level rate limiting for SSL/TLS connection attempts to reduce the impact of exploitation
- Configure firewall rules to restrict access to Jetty HTTPS endpoints to trusted IP ranges where possible
- Increase JVM heap size as a temporary measure to extend time before memory exhaustion (not a fix)
- Consider deploying a reverse proxy or load balancer in front of Jetty to provide additional connection management
# Example: Rate limit SSL connections using iptables (Linux)
# Limit new SSL connections to 10 per second per source IP
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --update --seconds 1 --hitcount 10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
