Bug 1628702 (CVE-2018-14642)

Summary: CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, bgeorges, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dfediuck, dimitris, dmoppert, dosoudil, drieden, eedri, fgavrilo, jawilson, jbalunas, jondruse, jpallich, jshepherd, krathod, lef, lgao, lthon, mgoldboi, michal.skrivanek, mszynkie, myarboro, pdrozd, pgallagh, pgier, ppalaga, psakar, psampaio, pslavice, psotirop, puntogil, rnetuka, rolando.cruz, rruss, rstancel, rsvoboda, sbonazzo, security-response-team, sherold, sthorger, trogers, twalsh, vtunka, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180914,reported=20180913,source=upstream,cvss3=5.3/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N,cwe=CWE-200,fedora-all/undertow=affected,eap-7/undertow=affected,eap-6/jbossweb=new,jdg-7/undertow=new,fuse-6/undertow=new,fuse-7/undertow=new,rhsso-7/undertow=new,fis-2/undertow=new,swarm-7/undertow=new,rhev-m-4/rhvm-appliance=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-22 02:46:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1651413    
Bug Blocks: 1628704    

Description Pedro Sampaio 2018-09-13 18:24:25 UTC
In some circumstances Undertow can serve data from a random ByteBuffer, this is due to an incomplete fix for UNDERTOW-438.

Basically if all the headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

Upstream bug:

https://issues.jboss.org/browse/JBEAP-15428

Upstream patch:

https://github.com/jbossas/redhat-undertow/commit/e65ad5b410f95b166ff04f876e22f873e9b4ce62

Comment 6 errata-xmlrpc 2019-02-18 15:42:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:0362 https://access.redhat.com/errata/RHSA-2019:0362

Comment 7 errata-xmlrpc 2019-02-18 15:46:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2019:0364 https://access.redhat.com/errata/RHSA-2019:0364

Comment 8 errata-xmlrpc 2019-02-18 15:49:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2019:0365 https://access.redhat.com/errata/RHSA-2019:0365

Comment 9 errata-xmlrpc 2019-02-19 17:19:01 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.2.6 zip

Via RHSA-2019:0380 https://access.redhat.com/errata/RHSA-2019:0380

Comment 10 errata-xmlrpc 2019-05-08 12:04:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106

Comment 11 errata-xmlrpc 2019-05-08 12:09:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107

Comment 12 errata-xmlrpc 2019-05-08 12:11:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108

Comment 13 errata-xmlrpc 2019-05-09 18:14:52 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.1 zip

Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140

Comment 14 Joshua Padman 2019-05-15 22:57:08 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 15 Product Security DevOps Team 2019-08-22 02:46:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-14642

Comment 16 Joshua Padman 2019-08-28 11:18:23 UTC
RH Single Sign-On has been fixed since 7.3.2 which included undertow-core-2.0.19.Final-redhat-00001.jar

Comment 17 Paramvir jindal 2019-08-30 11:14:31 UTC
Marked JDG as not affected as it already includes fixed version undertow-core i.e. :

JDG7.3.2/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.2.CP/io/undertow/core/main/undertow-core-2.0.19.Final-redhat-00001.jar

Comment 18 Jonathan Christison 2019-08-30 11:55:51 UTC
Marked Fuse as not affected as undertow versions defined in poms is 2.0.20.Final-redhat-00001