CVE-2022-2191: 
Java vulnerability analysis and mitigation

CVE-2022-2191 affects Eclipse Jetty versions 10.0.0 through 10.0.9 and 11.0.0 through 11.0.9. The vulnerability was discovered in the SslConnection component, which fails to release ByteBuffers from configured ByteBufferPool in error code paths (GitHub Advisory, CVE Mitre).

The vulnerability occurs when SslConnection fails to release ByteBuffers in error code paths. A specific example is during TLS handshakes that require client authentication with clients sending expired certificates, which triggers TLS handshake errors causing ByteBuffer leaks (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition. The vulnerability specifically affects the availability of the system while having no impact on confidentiality or integrity (NetApp Security).

A workaround exists by configuring explicitly a RetainableByteBufferPool with maxHeapMemory and maxDirectMemory to limit the amount of memory that can be leaked. The pool will eventually become full of 'active' entries (the leaked ones) and will provide ByteBuffers that will be garbage collected normally. The issue has been fixed in versions 10.0.10 and 11.0.10 (GitHub Advisory).