Bug 1780445 (CVE-2019-19343)

Summary: CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, carnil, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, etirelli, extras-orphan, gandavar, ggaughan, ibek, iweiss, janstey, jawilson, jbalunas, jochrist, jpallich, jperkins, jstastny, jwon, krathod, kverlaen, kwills, lef, lgao, lthon, mnovotny, msochure, msvehla, mszynkie, nwallace, paradhya, pdrozd, pgallagh, pjindal, pmackay, psotirop, puntogil, rguimara, rrajasek, rruss, rsvoboda, rsynek, sdaley, smaestri, sthorger, tom.jenkinson, trogers, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: undertow 2.0.25.SP1, jboss-remoting 5.0.14.SP1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-15 17:20:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1780446    
Bug Blocks: 1698222, 1942139    

Description Pedro Sampaio 2019-12-06 03:14:59 UTC 
A flaw was found in Undertow as shipped in Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service.

References:

https://issues.redhat.com/browse/JBEAP-16695
Comment 1 Pedro Sampaio 2019-12-06 03:15:32 UTC 
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1780446]
Comment 5 Paramvir jindal 2019-12-17 08:57:45 UTC 
Since this issue is fixed in EAP 7.2.4 so the fixed version of jars are :

undertow-core-2.0.25.SP1-redhat-00001.jar
jboss-remoting-5.0.14.SP1-redhat-00001.jar

JDG 7.3.4  ships :
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking JDG as not affected.
Comment 6 Paramvir jindal 2019-12-17 09:03:42 UTC 
RHSSO 7.3.5 ships :

RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking RHSSO as not affected.
Comment 7 Salvatore Bonaccorso 2020-01-09 05:44:15 UTC 
Hi

Can you confirm, is this an issue which is in undertow actually and fixed there or specific to JBOSS remoting? The CVE seem associated with undertow itself, and according to the subject here a memory leak in the HttpOpenListener. If fixed in undertow, is there a respective upstream issue and fix?

Regards,
Salvatore
Comment 8 Pedro Sampaio 2020-01-09 15:27:33 UTC 
(In reply to Salvatore Bonaccorso from comment #7)
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hi Kunjan,

Can you help with this?

Thanks.
Comment 10 Kunjan Rathod 2020-01-21 21:23:53 UTC 
In reply to comment #7:
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hello Salvatore,

The issue appears to affects both Undertow and remoting. However the fix appears to be added in remoting(REM3-347) as it looks to be causing memory Leak in Undertow HttpOpenListener(which appears to hold remoting connections indefinitely). The https://issues.redhat.com/browse/REM3-347 appears to be an upstream issue filed for the same, however I am in discussion with Enigneering to get the final confirmation on the same.
Comment 11 Salvatore Bonaccorso 2020-02-15 13:32:25 UTC 
Hi Kunjan,

(In reply to Kunjan Rathod from comment #10)
> The https://issues.redhat.com/browse/REM3-347 appears to be
> an upstream issue filed for the same, however I am in discussion with
> Enigneering to get the final confirmation on the same.

Was there any conclusion on that? And do I interpret it correctly, the issue on undertow side will likely not be fixed?

Thanks for your time!

Regards,
Salvatore
Comment 13 Kunjan Rathod 2020-02-18 21:30:55 UTC 
In reply to comment #11:
> Hi Kunjan,
> 
> (In reply to Kunjan Rathod from comment #10)
> > The https://issues.redhat.com/browse/REM3-347 appears to be
> > an upstream issue filed for the same, however I am in discussion with
> > Enigneering to get the final confirmation on the same.
> 
> Was there any conclusion on that? And do I interpret it correctly, the issue
> on undertow side will likely not be fixed?
> 
> Thanks for your time!
> 
> Regards,
> Salvatore

The issue appears to be fixed in both undertow and remoting, however I am communicating/discussing internally to get more details.
Comment 14 Kunjan Rathod 2020-03-11 23:02:19 UTC 
In reply to comment #11:
> Hi Kunjan,
> 
> (In reply to Kunjan Rathod from comment #10)
> > The https://issues.redhat.com/browse/REM3-347 appears to be
> > an upstream issue filed for the same, however I am in discussion with
> > Enigneering to get the final confirmation on the same.
> 
> Was there any conclusion on that? And do I interpret it correctly, the issue
> on undertow side will likely not be fixed?
> 
> Thanks for your time!
> 
> Regards,
> Salvatore

The fix was a change in remoting however, it manifested in an Undertow use case, therefore the title correctly mentions undertow as well as remoting.
Comment 20 errata-xmlrpc 2020-06-15 16:18:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565
Comment 21 Product Security DevOps Team 2020-06-15 17:20:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19343
Comment 22 errata-xmlrpc 2020-12-16 12:13:13 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568