Lucene search

K
ibmIBM6FCB312F851B6934988595C2E7724A5C11C84D610341D83ADD1A696432243B50
HistoryNov 22, 2022 - 1:47 p.m.

Security Bulletin: Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate these vulnerabilities.

2022-11-2213:47:01
www.ibm.com
7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

49.9%

Summary

Eclipse Jetty contains a vulnerability around improper hostname input handling that could lead to failure in a proxy scenario, and a vulnerability that could lead to a potential denial of service attack.

Vulnerability Details

CVEID:CVE-2022-2191
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by a flaw with SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230671 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-2047
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-2048
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the error handling of an invalid HTTP/2 request. By sending specially-crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause the server to become unresponsive, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230670 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
RPT 10.1
RPT 10.0
RPT 10.2
RPT 9.2
RPT 9.5

Remediation/Fixes

Upgrading to Rational Performance Tester version 10.5 is strongly recommended.

Product VRMF APAR Remediation/First Fix
RPT 10.2 None <https://download4.boulder.ibm.com/sar/CMA/RAA/0atii/0/PSIRT58763_RPT-RST-ifix.zip&gt;
RPT 10.1 None <https://download4.boulder.ibm.com/sar/CMA/RAA/0atii/0/PSIRT58763_RPT-RST-ifix.zip&gt;
RPT 10.0 None <https://download4.boulder.ibm.com/sar/CMA/RAA/0atii/0/PSIRT58763_RPT-RST-ifix.zip&gt;
RPT 9.5 None <https://download4.boulder.ibm.com/sar/CMA/RAA/0atii/0/PSIRT58763_RPT-RST-ifix.zip&gt;
RPT 9.2 None <https://download4.boulder.ibm.com/sar/CMA/RAA/0atii/0/PSIRT58763_RPT-RST-ifix.zip&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

49.9%

Related for 6FCB312F851B6934988595C2E7724A5C11C84D610341D83ADD1A696432243B50