Bug 2117506 (CVE-2022-2764)
Summary: | CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aboyko, aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dkreling, dosoudil, eglynn, emingora, eric.wittmann, fjuma, fmongiar, ggrzybek, gmalinko, gsmet, hamadhan, ibek, ikanello, iweiss, james, janstey, jjoyce, jnethert, jochrist, jpavlik, jrokos, jwon, kverlaen, lgao, lhh, lthon, mburns, mgarciac, mnovotny, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, ppalaga, probinso, pskopek, reno.symmank, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, spower, sthorger, tom.jenkinson, tzimanyi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-12-09 17:02:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2117501 |
Description
Sandipan Roy
2022-08-11 08:10:56 UTC
@pjindal I see that this CVE is valid fro Undertow 2.x. I wonder whether it is also reproducible on quarkus-http which was developed on top of Undertow 2.x? Note that there is io.undertow.httpcore.UndertowInputStream class in quarkus-http. In reply to comment #4: > @pjindal I see that this CVE is valid fro Undertow 2.x. I wonder > whether it is also reproducible on quarkus-http which was developed on top > of Undertow 2.x? > Note that there is io.undertow.httpcore.UndertowInputStream class in > quarkus-http. Peter, I have added you in https://issues.redhat.com/browse/UNDERTOW-2048, there is a comment on this jira on details about reproducing this issue. Also since quarkus-http is based on Undertow 2.x means quarkus ships the affected code and hence it should be marked as affected. I am still not sure if this can be reproduced in quarkus as it is not easy to reproduce. Since this is already a Low impact CVE, I am marking quarkus as affected for this CVE so that we can fix the affected undertow code in quarkus 2.x. Is there a simple mitigation for this? As far as I am aware, I don't use EJB invocations. Is there a setting to disable them, or are they not even configured by default? This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:8792 https://access.redhat.com/errata/RHSA-2022:8792 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:8790 https://access.redhat.com/errata/RHSA-2022:8790 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:8791 https://access.redhat.com/errata/RHSA-2022:8791 This issue has been addressed in the following products: EAP 7.4.8 release Via RHSA-2022:8793 https://access.redhat.com/errata/RHSA-2022:8793 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2764 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 |