{ "threat_severity" : "Moderate", "public_date" : "2022-07-07T00:00:00Z", "bugzilla" : { "description" : "http2-server: Invalid HTTP/2 requests cause DoS", "id" : "2116952", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2116952" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-410", "details" : [ "In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.", "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests." ], "affected_release" : [ { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-06-19T00:00:00Z", "advisory" : "RHSA-2023:3663", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-0:2.401.1.1686831596-3.el8" }, { "product_name" : "Red Hat AMQ Streams 2.3.0", "release_date" : "2023-01-17T00:00:00Z", "advisory" : "RHSA-2023:0189", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "http2-server" }, { "product_name" : "Red Hat Fuse 7.11.1", "release_date" : "2022-11-28T00:00:00Z", "advisory" : "RHSA-2022:8652", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "http2-server" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2023-01-12T00:00:00Z", "advisory" : "RHSA-2023:0017", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "jenkins-0:2.361.1.1672840472-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2023-02-23T00:00:00Z", "advisory" : "RHSA-2023:0777", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "jenkins-0:2.361.1.1675668150-1.el8" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Will not fix", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "http2-server", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2048\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2048\nhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j" ], "name" : "CVE-2022-2048", "csaw" : false }