Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8mpp-f3f7-xc28

GitHub Security Advisory

Jetty SslConnection does not release pooled ByteBuffers in case of errors

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
`SslConnection` does not release `ByteBuffer`s in case of error code paths.
For example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.

### Workarounds
Configure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.
Eventually the pool will be full of "active" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.

_With embedded-jetty_

``` java
int maxBucketSize = 1000;
long maxHeapMemory = 128 * 1024L * 1024L; // 128 MB
long maxDirectMemory = 128 * 1024L * 1024L; // 128 MB
RetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);

server.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started
server.start();
```

_With jetty-home/jetty-base_

Create a `${jetty.base}/etc/retainable-byte-buffer-config.xml`

``` xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.io.ArrayRetainableByteBufferPool">
<Arg type="int"><Property name="jetty.byteBufferPool.minCapacity" default="0"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.factor" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxCapacity" default="-1"/></Arg>
<Arg type="int"><Property name="jetty.byteBufferPool.maxBucketSize" default="1000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxHeapMemory" default="128000000"/></Arg>
<Arg type="long"><Property name="jetty.byteBufferPool.maxDirectMemory" default="128000000"/></Arg>
</New>
</Arg>
</Call>
</Configure>
```

And then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`

```
etc/retainable-byte-buffer-config.xml
```

### References
https://github.com/eclipse/jetty.project/issues/8161

### For more information
* Email us at [[email protected]](mailto:[email protected])

Affected Packages

Maven org.eclipse.jetty:jetty-server
Affected versions: 10.0.0 (fixed in 10.0.10)
Maven org.eclipse.jetty:jetty-server
Affected versions: 11.0.0 (fixed in 11.0.10)

Related CVEs

CVE-2022-2191

Key Information

GHSA ID
GHSA-8mpp-f3f7-xc28
Published
July 7, 2022 8:55 PM
Last Modified
August 11, 2022 9:31 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.eclipse.jetty:jetty-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.