{ "threat_severity" : "Moderate", "public_date" : "2022-07-07T00:00:00Z", "bugzilla" : { "description" : "jetty-server: Improper release of ByteBuffers in SslConnections", "id" : "2116953", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2116953" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-404", "details" : [ "In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.", "A flaw was found in the Jetty-server package. This flaw allows an attacker to send invalid requests, causing a denial of service in the Jetty Server." ], "statement" : "In Red Hat Satellite 6.9 we are using 9.4.x or below of jetty-server. Red Hat Satellite 6.10 is not using jetty-server anymore. This flaw only affects versions above 10.0.x or 11.0.x of jetty-server, therefore Red Hat Satellite 6.9 or 6.10 are not impacted by this vulnerability.", "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 2.3.0", "release_date" : "2023-01-17T00:00:00Z", "advisory" : "RHSA-2023:0189", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "jetty-server" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "lucene4", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Not affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2191\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2191\nhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28" ], "name" : "CVE-2022-2191", "csaw" : false }