CVE-2022-2048
📋 TL;DR
This vulnerability in Eclipse Jetty's HTTP/2 server implementation allows attackers to cause denial of service by sending invalid HTTP/2 requests that trigger resource cleanup failures. The bug prevents proper cleanup of active connections and associated resources, eventually exhausting server capacity. Any system running vulnerable Jetty versions with HTTP/2 enabled is affected.
💻 Affected Systems
- Eclipse Jetty
📦 What is this software?
Element Plug In For Vcenter Server by Netapp
View all CVEs affecting Element Plug In For Vcenter Server →
Jenkins by Jenkins
Jenkins by Jenkins
Jetty by Eclipse
Jetty by Eclipse
Jetty by Eclipse
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability as all server resources become exhausted, preventing legitimate requests from being processed.
Likely Case
Progressive degradation of service performance leading to partial or intermittent denial of service.
If Mitigated
Minimal impact with proper connection limits, monitoring, and quick detection of anomalous traffic patterns.
🎯 Exploit Status
Exploitation requires sending malformed HTTP/2 requests, which can be automated. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jetty 9.4.49, Jetty 10.0.11, Jetty 11.0.11
Vendor Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
Restart Required: Yes
Instructions:
1. Identify current Jetty version. 2. Upgrade to patched version (9.4.49, 10.0.11, or 11.0.11). 3. Restart Jetty server. 4. Verify upgrade with version check.
🔧 Temporary Workarounds
Disable HTTP/2
allTemporarily disable HTTP/2 protocol support to eliminate the vulnerability vector
Configure Jetty to use only HTTP/1.x by removing HTTP/2 connector configuration from jetty.xml or equivalent configuration files
Implement Rate Limiting
allConfigure connection and request rate limits to mitigate resource exhaustion attacks
Configure connection limits in Jetty: <Set name="maxConnections">100</Set>
Implement request throttling at load balancer or reverse proxy level
🧯 If You Can't Patch
- Implement network-level protections: Use WAF or reverse proxy to filter malformed HTTP/2 requests before they reach Jetty
- Enable aggressive monitoring: Set up alerts for abnormal connection counts, memory usage spikes, or HTTP/2 error rate increases
🔍 How to Verify
Check if Vulnerable:
Check Jetty version: java -jar start.jar --version or examine server logs for version information. If version is between 9.4.0-9.4.48, 10.0.0-10.0.10, or 11.0.0-11.0.10 with HTTP/2 enabled, system is vulnerable.Check Version:
java -jar start.jar --version 2>&1 | grep -i jetty || check WEB-INF/lib/jetty-*.jar versionVerify Fix Applied:
Verify Jetty version is 9.4.49, 10.0.11, or 11.0.11 or higher. Test with malformed HTTP/2 requests to confirm proper error handling and resource cleanup.📡 Detection & Monitoring
Log Indicators:
- Increased HTTP/2 protocol errors
- Connection cleanup failures in logs
- Resource exhaustion warnings
- Abnormal increase in active connections
Network Indicators:
- Spike in malformed HTTP/2 requests
- Unusual patterns of small/incomplete HTTP/2 frames
- Increased TCP connections without corresponding valid requests
SIEM Query:
source="jetty.log" AND ("HTTP/2 error" OR "connection cleanup" OR "resource exhaustion") | stats count by src_ip🔗 References
- http://www.openwall.com/lists/oss-security/2022/09/09/2
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
- https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
- https://security.netapp.com/advisory/ntap-20220901-0006/
- https://www.debian.org/security/2022/dsa-5198
- http://www.openwall.com/lists/oss-security/2022/09/09/2
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j
- https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
- https://security.netapp.com/advisory/ntap-20220901-0006/
- https://www.debian.org/security/2022/dsa-5198
