CVE-2022-2191
First published: Thu Jul 07 2022(Updated: )
Eclipse Jetty is vulnerable to a denial of service, caused by a flaw with SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Jetty | >=10.0.0<=10.0.9 | |
| Eclipse Jetty | >=11.0.0<=11.0.9 | |
| IBM Cognos Command Center | <=10.2.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/230671
- https://www.ibm.com/support/pages/node/6983274 (Advisory)
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
- https://security.netapp.com/advisory/ntap-20220909-0003/
- https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623
- https://access.redhat.com/errata/RHSA-2023:0189
- https://access.redhat.com/security/cve/cve-2022-2191
- https://bugzilla.redhat.com/show_bug.cgi?id=2116953
- https://www.cve.org/CVERecord?id=CVE-2022-2191 https://nvd.nist.gov/vuln/detail/CVE-2022-2191 https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28
Frequently Asked Questions
What is CVE-2022-2191?
CVE-2022-2191 is a vulnerability in the Jetty-server package that allows an attacker to send invalid requests and cause a denial of service.
How severe is the CVE-2022-2191 vulnerability?
The severity of CVE-2022-2191 is high with a CVSS score of 7.5.
What software is affected by CVE-2022-2191?
The Jetty-server package version up to and excluding 10.0.10 and 11.0.10 are affected, as well as Eclipse Jetty versions from 10.0.0 to 10.0.9 and 11.0.0 to 11.0.9. IBM Cognos Command Center versions up to and including 10.2.4.1 are also affected.
How can I fix CVE-2022-2191?
To fix CVE-2022-2191, update the Jetty-server package to version 10.0.10 or 11.0.10, or update Eclipse Jetty to a version above 10.0.9 or 11.0.9. For IBM Cognos Command Center, update to a version higher than 10.2.4.1.
Where can I find more information about CVE-2022-2191?
You can find more information about CVE-2022-2191 at the following references: [GitHub Issue](https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2023:0189), [Red Hat CVE Page](https://access.redhat.com/security/cve/cve-2022-2191).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2191
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/ibm
- canonical/ibm cognos command center
- version/ibm cognos command center/10.2.4.1
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/10.0.0
- version/eclipse jetty/10.0.9
- version/eclipse jetty/11.0.0
- version/eclipse jetty/11.0.9
- package-manager/redhat