CVE-2024-22201 in Jetty
Summary
by MITRE • 02/26/2024
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/08/2025
The vulnerability identified as CVE-2024-22201 affects Jetty web server implementations that utilize HTTP/2 SSL connections, representing a critical resource exhaustion issue that can lead to service disruption. This flaw manifests when SSL connections are established over HTTP/2 protocol and subsequently experience TCP congestion, resulting in connection leaks upon timeout. The root cause lies in the improper handling of connection lifecycle management during network congestion scenarios, where the server fails to properly release file descriptors associated with these connections. This represents a classic example of resource leak vulnerability that can be exploited to exhaust system resources through controlled connection establishment and subsequent timeout events.
The technical implementation of this vulnerability stems from how Jetty manages HTTP/2 connection states under network stress conditions. When TCP congestion occurs during SSL handshake or data transfer phases, the connection may timeout without proper cleanup of underlying file descriptors. This behavior creates a memory and resource leak that accumulates over time, particularly when attackers deliberately establish multiple connections that will timeout due to congestion. The vulnerability is categorized under CWE-404, which deals with improper resource cleanup or release, and aligns with ATT&CK technique T1499.004 for resource exhaustion attacks. The flaw affects multiple Jetty versions including 9.4.x, 10.0.x, 11.0.x, and 12.0.x series, indicating a widespread impact across the software's major release lines.
The operational impact of this vulnerability extends beyond simple performance degradation to full service denial, making it particularly dangerous in production environments where availability is critical. As connections leak and consume file descriptors, the server eventually reaches its maximum file descriptor limit, preventing new legitimate connections from being established. This creates a cascading failure scenario where the server becomes unresponsive to valid client requests while maintaining the leaked connection state. Attackers can exploit this by establishing numerous connections that will timeout due to network congestion, effectively exhausting the server's connection handling capacity. The vulnerability directly impacts the server's ability to maintain service continuity and can be classified as a denial of service attack vector under ATT&CK framework's T1498 category.
Mitigation strategies for CVE-2024-22201 require immediate implementation of patched versions as recommended by the vendor, specifically versions 9.4.54, 10.0.20, 11.0.20, and 12.0.6. Organizations should also implement connection monitoring and alerting mechanisms to detect unusual connection patterns that may indicate exploitation attempts. Network-level mitigations including connection rate limiting and TCP congestion control adjustments can help reduce the likelihood of successful exploitation. System administrators should also consider increasing the file descriptor limits temporarily while implementing permanent fixes, though this only provides a workaround rather than a complete solution. Additionally, implementing proper connection timeout configurations and monitoring connection lifecycle events can help detect and prevent the accumulation of leaked connections. The vulnerability demonstrates the importance of proper resource management in high-throughput web server implementations and highlights the need for comprehensive testing of edge cases involving network congestion scenarios.