CVE-2024-22201: 
Java vulnerability analysis and mitigation

CVE-2024-22201 affects Jetty, a Java based web server and servlet engine. The vulnerability was discovered in January 2024 and publicly disclosed in February 2024. The issue affects Jetty versions 9.3.0 through 9.4.53, 10.0.0 through 10.0.19, 11.0.0 through 11.0.19, and 12.0.0 through 12.0.5. When an HTTP/2 SSL connection becomes TCP congested and times out, the connection remains in an established but idle state, leading to potential resource exhaustion (GitHub Advisory).

The vulnerability occurs when an HTTP/2 SSL connection becomes TCP congested and experiences an idle timeout. In this scenario, the HTTP/2 session is marked as closed and a GOAWAY frame is queued for writing. However, due to TCP congestion, the frame cannot be written. When another idle timeout period elapses, the connection should be forcibly closed, but since the HTTP/2 session reports as already closed, no hard close is attempted. This leaves the connection in ESTABLISHED state, TCP congested, and idle. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to a denial of service condition. An attacker can cause multiple connections to end up in this leaked state, potentially exhausting the server's file descriptors. This eventually prevents the server from accepting new connections from legitimate clients. While clients may also be impacted if the server stops reading data (causing TCP congestion), the issue is particularly severe for servers (GitHub Advisory).

The vulnerability has been patched in Jetty versions 9.4.54, 10.0.20, 11.0.20, and 12.0.6. For users unable to upgrade immediately, the recommended workaround is to disable HTTP/2 and HTTP/3 support, as HTTP/1.x is not affected by this vulnerability (GitHub Advisory).