Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SSLConnection buffers handling (CVE-2022-2191) #8161

Closed
lorban opened this issue Jun 13, 2022 · 7 comments · Fixed by Consensys/tessera#1463
Closed

Improve SSLConnection buffers handling (CVE-2022-2191) #8161

lorban opened this issue Jun 13, 2022 · 7 comments · Fixed by Consensys/tessera#1463
Assignees
@lorban
Labels
Bug For general bugs on Jetty side Security Sponsored This issue affects a user with a commercial support agreement

Comments

@lorban
Copy link
Contributor

lorban commented Jun 13, 2022
edited by joakime
Loading

Jetty version(s)
10+

Description
SSLConnection's buffers utilization and their pooling should be reviewed.

Fixes Security Advisory
GHSA-8mpp-f3f7-xc28
CVE-2022-2191
@lorban lorban added the Bug For general bugs on Jetty side label Jun 13, 2022
@lorban lorban self-assigned this Jun 13, 2022
@lorban lorban added the Sponsored This issue affects a user with a commercial support agreement label Jun 13, 2022
lorban added a commit that referenced this issue Jun 14, 2022
@lorban
#8161 improve SSLConnection buffers handling
b383f53 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 14, 2022
@lorban
#8161 add memory heuristic to ArrayRetainableByteBufferPool
00e33d6 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 14, 2022
@lorban
#8161 add mod and xml config to configure RetainableByteBufferPool
7a0b80c 
Signed-off-by: Ludovic Orban <[email protected]>
@lorban lorban mentioned this issue Jun 14, 2022
Merged
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 introduce releaseEmpty*Buffer vs release*Buffer helpers
ba17305 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 improve javadoc and mod doc
090306b 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 remove xml config and improve naming of buffer-releasing methods
e6800f7 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 make RetainableByteBufferPool a 1st class citizen in the API
0471fe0 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 add xml config and mod for retainable byte buffer pool
e2e22d4 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 fix checkstyle
eaffde4 
Signed-off-by: Ludovic Orban <[email protected]>
lorban added a commit that referenced this issue Jun 15, 2022
@lorban
#8161 fix more checkstyle
1d3e1cc 
Signed-off-by: Ludovic Orban <[email protected]>
@macfarla macfarla mentioned this issue Jun 22, 2022
Merged
2 tasks
@joakime
Copy link
Contributor

joakime commented Jul 5, 2022

In light of discoveries during this review, a better combined ByteBufferPool with easier to configure setup was just merged in PR #8171, due for the next Jetty 10.0.x release.

@macfarla macfarla mentioned this issue Jul 7, 2022
Merged
2 tasks
@joakime joakime changed the title Improve SSLConnection buffers handling Improve SSLConnection buffers handling (CVE-2022-2191) Jul 7, 2022
@AB-xdev
Copy link

AB-xdev commented Jul 8, 2022

Does this also affect Jetty 9.x?

According to the issue description this is only relevant for Jetty 10+ but the advisory says <= 10.0.9 which also includes version 9.x.

@lorban
Copy link
Contributor Author

lorban commented Jul 8, 2022

No, it does not affect any 9.4.x version.

@AB-xdev AB-xdev mentioned this issue Jul 8, 2022
Closed
@joakime
Copy link
Contributor

joakime commented Jul 8, 2022

According to the issue description this is only relevant for Jetty 10+ but the advisory says <= 10.0.9 which also includes version 9.x.

Good catch!

We'll update the advisory version range.

@exceptionfactory exceptionfactory mentioned this issue Jul 8, 2022
Closed
@tisonkun tisonkun mentioned this issue Jul 9, 2022
Merged
2 tasks
@aikebah aikebah mentioned this issue Jul 9, 2022
Closed
@kadinwu
Copy link

kadinwu commented Jul 11, 2022

affected versions in github advisories [(https://github.com/advisories/GHSA-8mpp-f3f7-xc28)] has < 10.0.10.
does it really affect 9.x versions?

@Playacem Playacem mentioned this issue Jul 11, 2022
Closed
@joakime
Copy link
Contributor

joakime commented Jul 11, 2022
edited
Loading

affected versions in github advisories GHSA-8mpp-f3f7-xc28 has < 10.0.10.
does it really affect 9.x versions?

See prior comments, and our advisory (the master database at github has not been updated yet):

Also, Jetty 9.4.x is now at End of Community Support, you are strongly encouraged to upgrade to Jetty 10+ as soon as possible.

See:

@joakime joakime mentioned this issue Jul 11, 2022
Closed
@milt milt mentioned this issue Jul 11, 2022
Merged
@msymons msymons mentioned this issue Jul 11, 2022
Closed
@joakime
Copy link
Contributor

joakime commented Jul 12, 2022

The github advisory database version of CVE-2022-2191 has its version range updated.
GHSA-8mpp-f3f7-xc28

@tisonkun tisonkun mentioned this issue Jul 12, 2022
Merged
1 task
This was referenced Oct 12, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lorban lorban

Labels
Bug For general bugs on Jetty side Security Sponsored This issue affects a user with a commercial support agreement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update jetty macfarla/tessera
4 participants
@joakime @lorban @kadinwu @AB-xdev