[ZOOKEEPER-4606] CVE-2022-2048 in jetty 9.4.43.v20210629 in zk 3.7.1 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: 3.7.1
Fix Version/s: None
Component/s: security
Labels:
- cve
- security

Description

Hi, our security tool detects the following CVE on zookeeper 3.7.1 :

https://nvd.nist.gov/vuln/detail/CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

It is a vulnerability related to jetty jar in version 9.4.43.v20210629 jar.

Here is the security advisory from jetty: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j

The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Daniel Ma

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Aug/22 16:16

Updated:: 20/Feb/23 07:05