Bug 1905796 (CVE-2020-35510)

Summary: CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
Product: [Other] Security Response Reporter: Ted Jongseok Won <jwon>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, etirelli, ggaughan, gmalinko, gvarsami, ibek, iweiss, janstey, jawilson, jbamanya, jcoleman, jochrist, jolee, jpallich, jperkins, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, lthon, mnovotny, msochure, msvehla, mszynkie, nwallace, pdrozd, pgallagh, pjindal, pmackay, rguimara, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sdaley, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jboss-remoting 5.0.20.SP1-redhat-00001 Doc Type: ---
Doc Text:
A flaw was found in jboss-remoting. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-16 19:19:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1902747    

Description Ted Jongseok Won 2020-12-09 05:33:23 UTC 
A flaw was found in JBoss Remoting. When a malicious attacker could cause threads holding up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ack messages, or just tamper with jboss-remoting code, deleting the lines that send the ack message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Comment 3 Ted Jongseok Won 2020-12-22 01:43:49 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat Data Grid 7
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 4 Jonathan Christison 2021-01-05 11:11:02 UTC 
Marking Red Hat Fuse 7 as having a low impact, Fuse 7 distributes affected versions of JBoss Remoting via Fuse on EAP, however the functionality of these artifacts is not used by Fuse.
Comment 6 errata-xmlrpc 2021-03-16 13:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885
Comment 7 errata-xmlrpc 2021-03-16 13:35:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873
Comment 8 errata-xmlrpc 2021-03-16 13:39:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874
Comment 9 errata-xmlrpc 2021-03-16 13:43:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872
Comment 10 Product Security DevOps Team 2021-03-16 19:19:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35510
Comment 11 errata-xmlrpc 2021-03-23 14:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.6

Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
Comment 12 errata-xmlrpc 2021-06-02 14:23:39 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP via EAP 7.3.x base

Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
Comment 13 errata-xmlrpc 2021-12-14 21:33:15 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134