Bug 1308465 (CVE-2016-2094)

Summary: CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, jawilson, jshepherd, lgao, myarboro, osoukup, pslavice, rmaucher, rnetuka, rsvoboda, security-response-team, slong, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:49:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1307039    
Bug Blocks: 1308466    

Description Adam Mariš 2016-02-15 09:51:09 UTC 
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1307039
Comment 3 Jason Shepherd 2016-02-16 22:59:45 UTC 
Undertow in EAP 7 is not vulnerable.  The SSL handshake read does not occupy a thread with Undertow and the handshake read times out as expected by the listener's read-timeout.
Comment 5 errata-xmlrpc 2016-04-05 20:42:24 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
Comment 6 errata-xmlrpc 2016-04-05 20:43:16 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
Comment 7 errata-xmlrpc 2016-04-05 20:44:22 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 8 errata-xmlrpc 2016-04-05 20:45:26 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 9 errata-xmlrpc 2016-04-05 22:21:28 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
Comment 10 errata-xmlrpc 2016-04-28 17:42:21 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 11 errata-xmlrpc 2016-04-28 17:42:57 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html