CVE-2024-22201: Jetty Web Server Vulnerability - HTTP/2 SSL Connection Leaks and Exploit Details

In this article, we will discuss an important security vulnerability identified in the Jetty web server which has been assigned CVE-2024-22201. Jetty is a widely-used Java-based web server and servlet engine, known for its efficient performance and extensibility.

We will cover details of the vulnerability, including its impact and possible exploitation, code snippets illustrating the issue, and links to original references. We will also provide information on the patch versions and steps to mitigate the risk.

Vulnerability Details

CVE-2024-22201 refers to a leak in the Jetty web server, specifically in the handling of HTTP/2 SSL connections. When an HTTP/2 SSL connection is established and encounters TCP congestion, it will be leaked when the connection times out. An attacker can exploit this vulnerability by initiating a large number of connections to enter this state, ultimately causing the server to exhaust its available file descriptors, and subsequently, stop accepting new connections from legitimate clients.

The vulnerability has been addressed and patched in the following Jetty versions: 9.4.54, 10..20, 11..20, and 12..6.

Code Snippet

The issue lies in the Jetty web server's Http2Session class, where the onStreamTimeout() method is not being invoked correctly when there is an issue with the HTTP/2 SSL connection.

Here's a simplified version of the code in question from Jetty's Http2Session.java file

private void onStreamTimeout()
{
    // ...
    if (isClosed() && !isClosing())
    {
        _log.debug("Session {} timed out", this);
    }
    // ...
}

In the above code, the method onStreamTimeout() should be called when the connection has become congested and timed out. However, due to an oversight in Jetty's codebase, this method is not being called, resulting in a connection leak.

Exploit

To exploit this vulnerability, an attacker could initiate a large number of HTTP/2 SSL connections to the victim web server, causing the connections to become congested and eventually time out. This will force the server to exhaust its file descriptors, and eventually, it will cease accepting new connections, denying service to legitimate users.

Here are the links to the original references and discussions surrounding this vulnerability

1. Jetty's Official Website: https://www.eclipse.org/jetty/
2. Jetty's GitHub Repository: https://github.com/eclipse/jetty.project
3. Jetty Security Advisory: https://www.eclipse.org/lists/jetty-announce/msg00141.html
4. CVE-2024-22201 Official Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22201

Mitigation

To defend against this vulnerability, administrators are advised to update their Jetty web server to one of the patched versions mentioned above (9.4.54, 10..20, 11..20, or 12..6).

For those unable to update immediately, consider implementing traffic throttling or monitoring at the network or application level to identify and mitigate potential exploit attempts.

Conclusion

CVE-2024-22201 highlights the importance of keeping your software up-to-date and maintaining a proactive security posture. In this long-read post, we covered the details of this Jetty vulnerability, its potential exploit, and key references for further research. We urge administrators using Jetty to apply the appropriate patch and take necessary precautions to protect their systems and users.

Timeline

Published on: 02/26/2024 16:27:56 UTC
Last modified on: 02/26/2024 16:32:25 UTC