Bug 1573045 (CVE-2018-1114)

Summary: CVE-2018-1114 undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, bgeorges, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dimitris, dmoppert, dosoudil, drieden, eedri, fgavrilo, jawilson, jbalunas, jondruse, jpallich, jshepherd, krathod, lef, lgao, lthon, mgoldboi, michal.skrivanek, mmiura, mszynkie, myarboro, pdrozd, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rnetuka, rruss, rstancel, rsvoboda, sbonazzo, security-response-team, sgoodman, sherold, sthorger, trogers, twalsh, vtunka, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:20:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1573046, 1573047, 1590658    
Bug Blocks: 1571068    

Description Sam Fowler 2018-04-30 03:09:03 UTC 
Undertow has a file handler leak vulnerability caused by JarURLConnection.getLastModified(). A remote attacker could exploit this to cause a denial of service.


External References:

https://issues.jboss.org/browse/UNDERTOW-1338
https://bugs.openjdk.java.net/browse/JDK-6956385
Comment 1 Sam Fowler 2018-04-30 03:09:51 UTC 
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1573047]
Comment 8 errata-xmlrpc 2018-09-04 13:44:58 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
Comment 9 errata-xmlrpc 2018-09-11 07:55:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
Comment 14 errata-xmlrpc 2019-04-24 18:46:44 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877