Bug 2209689 (CVE-2023-3223)
| Summary: | CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alampare, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, eglynn, emingora, eric.wittmann, fjuma, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jjoyce, jmartisk, jrokos, jschluet, kverlaen, lbacciot, lgao, lhh, lthon, max.andersen, mburns, mgarciac, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pgrist, pjindal, pmackay, probinso, pskopek, rguimara, rowaters, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, security-response-team, smaestri, sthorger, tom.jenkinson, tqvarnst |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | undertow 2.2.24 | Doc Type: | --- |
| Doc Text: |
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-07 20:08:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2208052 | ||
|
Description
Patrick Del Bello
2023-05-24 14:00:17 UTC
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2023:4509 https://access.redhat.com/errata/RHSA-2023:4509 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:4505 https://access.redhat.com/errata/RHSA-2023:4505 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:4506 https://access.redhat.com/errata/RHSA-2023:4506 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:4507 https://access.redhat.com/errata/RHSA-2023:4507 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-3223 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:4919 https://access.redhat.com/errata/RHSA-2023:4919 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:4918 https://access.redhat.com/errata/RHSA-2023:4918 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:4920 https://access.redhat.com/errata/RHSA-2023:4920 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:4921 https://access.redhat.com/errata/RHSA-2023:4921 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.5 Via RHSA-2023:4924 https://access.redhat.com/errata/RHSA-2023:4924 This issue has been addressed in the following products: Red Hat Fuse 7.12.1 Via RHSA-2023:7247 https://access.redhat.com/errata/RHSA-2023:7247 |