[MAVEN:GHSA-8MPP-F3F7-XC28] Jetty SslConnection does not release pooled ByteBuffers in case of errors
Impact
SslConnection
does not release ByteBuffer
s in case of error code paths.
For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the ByteBuffer
s used to process the TLS handshake will be leaked.
Workarounds
Configure explicitly a RetainableByteBufferPool
with max[Heap|Direct]Memory
to limit the amount of memory that is leaked.
Eventually the pool will be full of "active" entries (the leaked ones) and will provide ByteBuffer
s that will be GCed normally.
With embedded-jetty
``` java
int maxBucketSize = 1000;
long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB
long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);
server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();
```
With jetty-home/jetty-base
Create a ${jetty.base}/etc/retainable-byte-buffer-config.xml
``` xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool">
<Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg>
</New>
</Arg>
</Call>
</Configure>
```
And then reference it in ${jetty.base}/start.d/retainable-byte-buffer-config.ini
etc/retainable-byte-buffer-config.xml
References
https://github.com/eclipse/jetty.project/issues/8161
For more information
- Email us at security@webtide.com
Package | Affected Version |
---|---|
pkg:maven/org.eclipse.jetty/jetty-server | >= 10.0.0, < 10.0.10 |
pkg:maven/org.eclipse.jetty/jetty-server | >= 11.0.0, < 11.0.10 |
Package | Fixed Version |
---|---|
pkg:maven/org.eclipse.jetty/jetty-server | = 10.0.10 |
pkg:maven/org.eclipse.jetty/jetty-server | = 11.0.10 |
- ID
- MAVEN:GHSA-8MPP-F3F7-XC28
- Severity
- high
- URL
- https://github.com/advisories/GHSA-8mpp-f3f7-xc28
- Published
-
2022-07-07T20:55:37
(2 years ago) - Modified
-
2023-01-28T05:02:59
(19 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.eclipse.jetty/jetty-server | org.eclipse.jetty | jetty-server | >= 10.0.0 < 10.0.10 | |||
Fixed | pkg:maven/org.eclipse.jetty/jetty-server | org.eclipse.jetty | jetty-server | = 10.0.10 | |||
Affected | pkg:maven/org.eclipse.jetty/jetty-server | org.eclipse.jetty | jetty-server | >= 11.0.0 < 11.0.10 | |||
Fixed | pkg:maven/org.eclipse.jetty/jetty-server | org.eclipse.jetty | jetty-server | = 11.0.10 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |