Vulnerability Name:

CVE-2022-2048 (CCN-230670)

Assigned:2022-07-07
Published:2022-07-07
Updated:2023-07-24
Summary:Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the error handling of an invalid HTTP/2 request. By sending specially-crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause the server to become unresponsive, and results in a denial of service condition.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-2048

Source: emo@eclipse.org
Type: Mailing List, Third Party Advisory
emo@eclipse.org

Source: XF
Type: UNKNOWN
eclipse-cve20222048-dos(230670)

Source: CCN
Type: Eclipse GIT Repository
Invalid HTTP/2 requests can lead to denial of service

Source: emo@eclipse.org
Type: Third Party Advisory
emo@eclipse.org

Source: emo@eclipse.org
Type: Mailing List, Third Party Advisory
emo@eclipse.org

Source: emo@eclipse.org
Type: Third Party Advisory
emo@eclipse.org

Source: emo@eclipse.org
Type: Third Party Advisory
emo@eclipse.org

Source: CCN
Type: IBM Security Bulletin 6608554 (Sterling Secure Proxy)
IBM Secure External Authentication Server is vulnerable to multiple issues due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6608556 (Sterling Secure Proxy)
IBM Sterling Secure Proxy is vulnerable to multiple issues due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6612971 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 6613329 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2020-36518

Source: CCN
Type: IBM Security Bulletin 6825139 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Zookeeper affecting IBM QRadar User Behavior Analytics (CVE-2022-2191, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823, CVE-2020-36518)

Source: CCN
Type: IBM Security Bulletin 6825513 (Rational Change)
Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

Source: CCN
Type: IBM Security Bulletin 6825515 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2.4

Source: CCN
Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6831855 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6836831 (Log Analysis)
Vulnerability from Eclipse Jetty affect IBM Operations Analytics - Log Analysis (CVE-2022-2048)

Source: CCN
Type: IBM Security Bulletin 6840987 (Rational Performance Tester)
Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6840989 (Rational Performance Tester)
Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Service Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6852233 (Tivoli Netcool/OMNIbus)
Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6852613 (Tivoli Network Manager)
Multiple Vulnerabilities discovered in libraries used by Apache Zookeeper that is included in ITNM (CVE-2020-36518, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823)

Source: CCN
Type: IBM Security Bulletin 6857999 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2023

Source: CCN
Type: IBM Security Bulletin 6965698 (Tivoli Network Manager)
Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition.

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-2048

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_performance_tester:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:3.4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:2.4.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_secure_proxy:6.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8024
    P
    		jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)
    2023-06-20
    BACK
    eclipse jetty 9.4.0 20180619
    eclipse jetty 10.0.0 -
    eclipse jetty 11.0.0 -
    ibm tivoli netcool/omnibus 8.1.0
    ibm infosphere information server 11.7
    ibm rational performance tester 9.2
    ibm sterling secure proxy 3.4.3.2
    ibm sterling secure proxy 2.4.3.2
    ibm cognos command center 10.2.4.1
    ibm rational functional tester 9.5
    ibm qradar security information and event manager 7.4 -
    ibm sterling secure proxy 6.0.3.0
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm cloud pak for business automation 22.0.1 -
    ibm cloud pak for business automation 22.0.2 -