gsd-2024-1635
Vulnerability from gsd
Modified
2024-02-20 06:02
Details
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available.
At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
Aliases
{ gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2024-1635", ], details: "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.", id: "GSD-2024-1635", modified: "2024-02-20T06:02:28.028758Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2024-1635", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "EAP 7.4.16", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unaffected", }, }, ], }, }, { product_name: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.30-1.SP1_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.30-1.SP1_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.30-1.SP1_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "Red Hat Single Sign-On 7.6 for RHEL 7", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.13-1.redhat_00001.1.el7sso", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "Red Hat Single Sign-On 7.6 for RHEL 8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.13-1.redhat_00001.1.el8sso", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "Red Hat Single Sign-On 7.6 for RHEL 9", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.13-1.redhat_00001.1.el9sso", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "RHEL-8 based Middleware Containers", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-46", versionType: "rpm", }, ], }, }, ], }, }, { product_name: "RHSSO 7.6.8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unaffected", }, }, ], }, }, { product_name: "OpenShift Serverless", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat build of Apache Camel 4.0 for Spring Boot", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat build of Apache Camel for Quarkus", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat build of Apache Camel for Spring Boot", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat Build of Keycloak", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", }, }, ], }, }, { product_name: "Red Hat build of OptaPlanner 8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat build of Quarkus", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat Data Grid 8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unaffected", }, }, ], }, }, { product_name: "Red Hat Integration Camel K", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat Integration Camel Quarkus", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat Integration Service Registry", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat JBoss A-MQ Streams", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat JBoss Data Grid 7", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat JBoss Enterprise Application Platform 8", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unaffected", }, }, ], }, }, { product_name: "Red Hat JBoss Fuse 7", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat JBoss Fuse Service Works 6", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, { product_name: "Red Hat Process Automation 7", version: { version_data: [ { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "unknown", }, }, ], }, }, ], }, vendor_name: "Red Hat", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.", }, ], }, impact: { cvss: [ { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-400", lang: "eng", value: "Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "https://access.redhat.com/errata/RHSA-2024:1674", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1674", }, { name: "https://access.redhat.com/errata/RHSA-2024:1675", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1675", }, { name: "https://access.redhat.com/errata/RHSA-2024:1676", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1676", }, { name: "https://access.redhat.com/errata/RHSA-2024:1677", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1677", }, { name: "https://access.redhat.com/errata/RHSA-2024:1860", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1860", }, { name: "https://access.redhat.com/errata/RHSA-2024:1861", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1861", }, { name: "https://access.redhat.com/errata/RHSA-2024:1862", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1862", }, { name: "https://access.redhat.com/errata/RHSA-2024:1864", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1864", }, { name: "https://access.redhat.com/errata/RHSA-2024:1866", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2024:1866", }, { name: "https://access.redhat.com/security/cve/CVE-2024-1635", refsource: "MISC", url: "https://access.redhat.com/security/cve/CVE-2024-1635", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928", }, { name: "https://security.netapp.com/advisory/ntap-20240322-0007/", refsource: "MISC", url: "https://security.netapp.com/advisory/ntap-20240322-0007/", }, ], }, work_around: [ { lang: "en", value: "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact.", }, ], }, "nvd.nist.gov": { cve: { descriptions: [ { lang: "en", value: "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.", }, { lang: "es", value: "Se encontrĂł una vulnerabilidad en Undertow. Esta vulnerabilidad afecta a un servidor que admite el protocolo wildfly-http-client. Siempre que un usuario malintencionado abre y cierra una conexiĂłn con el puerto HTTP del servidor y luego cierra la conexiĂłn inmediatamente, el servidor finalizará con los lĂmites de memoria y de archivos abiertos agotados en algĂşn momento, dependiendo de la cantidad de memoria disponible. En la actualizaciĂłn HTTP a comunicaciĂłn remota, WriteTimeoutStreamSinkConduit pierde conexiones si RemotingConnection se cierra mediante Remoting ServerConnectionOpenListener. Debido a que la conexiĂłn remota se origina en Undertow como parte de la actualizaciĂłn HTTP, existe una capa externa a la conexiĂłn remota. Esta conexiĂłn desconoce la capa más externa al cerrar la conexiĂłn durante el procedimiento de apertura de la conexiĂłn. Por lo tanto, Undertow WriteTimeoutStreamSinkConduit no recibe notificaciĂłn de la conexiĂłn cerrada en este escenario. Debido a que WriteTimeoutStreamSinkConduit crea una tarea de tiempo de espera, todo el árbol de dependencia se filtra a travĂ©s de esa tarea, que se agrega a XNIO WorkerThread. Entonces, el hilo de trabajo apunta al conducto Undertow, que contiene las conexiones y causa la fuga.", }, ], id: "CVE-2024-1635", lastModified: "2024-04-17T16:15:07.720", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "secalert@redhat.com", type: "Secondary", }, ], }, published: "2024-02-19T22:15:48.647", references: [ { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1674", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1675", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1676", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1677", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1860", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1861", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1862", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1864", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:1866", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/security/cve/CVE-2024-1635", }, { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928", }, { source: "secalert@redhat.com", url: "https://security.netapp.com/advisory/ntap-20240322-0007/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Awaiting Analysis", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "secalert@redhat.com", type: "Primary", }, ], }, }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.