CVE-2024-22201

NameCVE-2024-22201
DescriptionJetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3780-1, DSA-5664-1
Debian Bugs1064923

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty8 (PTS)jessie, jessie (lts)8.1.16-4+deb8u1fixed
jetty9 (PTS)stretch (security), stretch (lts), stretch9.2.30-0+deb9u2fixed
buster (security), buster, buster (lts)9.4.50-4+deb10u2fixed
bullseye (security), bullseye9.4.50-4+deb11u2fixed
bookworm (security), bookworm9.4.50-4+deb12u3fixed
sid, trixie9.4.56-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jetty8sourcejessie(not affected)
jetty8source(unstable)(unfixed)
jetty9sourcestretch(not affected)
jetty9sourcebuster9.4.50-4+deb10u2DLA-3780-1
jetty9sourcebullseye9.4.50-4+deb11u2DSA-5664-1
jetty9sourcebookworm9.4.50-4+deb12u3DSA-5664-1
jetty9source(unstable)9.4.54-11064923

Notes

https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
https://github.com/jetty/jetty.project/issues/11256
Fixed by: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b (jetty-9.4.54.v20240208)
[jessie] - jetty8 <not-affected> (HTTP/2 support was added in jetty9 v9.3)
[stretch] - jetty9 <not-affected> (HTTP/2 support was added in v9.3)
Search for package or bug name: Reporting problems