In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
The product’s resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jetty | Eclipse | * | 9.4.47 (excluding) |
| Jetty | Eclipse | 10.0.0 (including) | 10.0.9 (excluding) |
| Jetty | Eclipse | 11.0.0 (including) | 11.0.9 (excluding) |
| OpenShift Developer Tools and Services for OCP 4.11 | RedHat | jenkins-0:2.401.1.1686831596-3.el8 | * |
| Red Hat AMQ Streams 2.3.0 | RedHat | http2-server | * |
| Red Hat Fuse 7.11.1 | RedHat | http2-server | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | jenkins-0:2.361.1.1672840472-1.el8 | * |
| Red Hat OpenShift Container Platform 4.9 | RedHat | jenkins-0:2.361.1.1675668150-1.el8 | * |
| Jetty | Ubuntu | trusty | * |
| Jetty | Ubuntu | trusty/esm | * |
| Jetty | Ubuntu | xenial | * |
| Jetty8 | Ubuntu | trusty | * |
| Jetty8 | Ubuntu | trusty/esm | * |
| Jetty8 | Ubuntu | xenial | * |
| Jetty9 | Ubuntu | bionic | * |
| Jetty9 | Ubuntu | impish | * |
| Jetty9 | Ubuntu | kinetic | * |
| Jetty9 | Ubuntu | upstream | * |
| Jetty9 | Ubuntu | xenial | * |