Bug 1144210 (CVE-2014-3648)

Summary: CVE-2014-3648 JBoss AeroGear: DDoS via deviceToken
Product: [Other] Security Response Reporter: Trevor Jay <tjay>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: grocha, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-26 20:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trevor Jay 2014-09-19 02:52:06 UTC 
The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled.

If an attacker registers bogus applications with bad deviceTokens, they can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints they control.

Similarly, attackers can provide whatever HTTP end point they want. Using the server as a DDOS and malware vector.
Comment 1 Arun Babu Neelicattu 2014-09-29 05:23:13 UTC 
Upstream Issue:

https://issues.jboss.org/browse/AEROGEAR-1515
Comment 2 Trevor Jay 2014-09-29 05:44:51 UTC 
Statement:

Not Vulnerable. Aerogear is not provided by any Red Hat product.