CVE-2024-22201: High Vulnerability in Debian Jetty

CVE-2024-22201 is a high-severity vulnerability associated with Jetty, a Java-based web server and servlet engine utilized in various Debian and NetApp products. The vulnerability arises when an HTTP/2 SSL connection is established under TCP congestion and subsequently times out. Attackers may exploit this condition to create numerous connections that can lead to a depletion of the server's file descriptors. Consequently, the server may become unable to accept new connections from legitimate clients, resulting in service disruptions.

The vulnerability has a CVSS score of 7.5, categorizing it as a high severity issue. This score highlights its potential impact, particularly in production environments where uptime is critical. Organizations utilizing affected versions of Jetty should prioritize applying the available patches to avoid potential exploitation. The urgency of remediation is underscored by the fact that the vulnerability could lead to significant availability issues.

Jetty versions 9.4.54, 10.0.20, 11.0.20, and 12.0.6 have addressed this vulnerability, making immediate patching essential for all users running earlier versions. Failure to update could expose systems to denial-of-service (DoS) conditions, where legitimate user requests are rejected due to exhausted server resources.

Current intelligence indicates that there are no known exploits for CVE-2024-22201, but given its nature and the availability of a public advisory, organizations should act swiftly to mitigate any risks associated with this vulnerability.

Organizations should prioritize patching immediately.

For further insights on vulnerability management, organizations can consider reviewing best practices related to continuous security testing.

This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that it can lead to resource exhaustion and denial-of-service scenarios.