Bug 2117506 (CVE-2022-2764)

Summary: CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dkreling, dosoudil, eglynn, emingora, eric.wittmann, fjuma, fmongiar, ggrzybek, gmalinko, gsmet, hamadhan, ibek, ikanello, iweiss, james, janstey, jjoyce, jnethert, jochrist, jpavlik, jrokos, jwon, kverlaen, lgao, lhh, lthon, mburns, mgarciac, mnovotny, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, ppalaga, probinso, pskopek, reno.symmank, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, spower, sthorger, tom.jenkinson, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-09 17:02:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2117501    

Description Sandipan Roy 2022-08-11 08:10:56 UTC
UndertowInputStream.close() blocks waiting to read -1

https://issues.redhat.com/browse/UNDERTOW-2048

Comment 4 Peter Palaga 2022-08-29 15:42:15 UTC
@pjindal I see that this CVE is valid fro Undertow 2.x. I wonder whether it is also reproducible on quarkus-http which was developed on top of Undertow 2.x?
Note that there is io.undertow.httpcore.UndertowInputStream class in quarkus-http.

Comment 5 Paramvir jindal 2022-08-30 05:44:54 UTC
In reply to comment #4:
> @pjindal I see that this CVE is valid fro Undertow 2.x. I wonder
> whether it is also reproducible on quarkus-http which was developed on top
> of Undertow 2.x?
> Note that there is io.undertow.httpcore.UndertowInputStream class in
> quarkus-http.

Peter, I have added you in https://issues.redhat.com/browse/UNDERTOW-2048, there is a comment on this jira on details about reproducing this issue. Also since quarkus-http is based on Undertow 2.x means quarkus ships the affected code and hence it should be marked as affected. I am still not sure if this can be reproduced in quarkus as it is not easy to reproduce. 

Since this is already a Low impact CVE, I am marking quarkus as affected for this CVE so that we can fix the affected undertow code in quarkus 2.x.

Comment 10 james 2022-09-13 09:46:44 UTC
Is there a simple mitigation for this?

As far as I am aware, I don't use EJB invocations. Is there a setting to disable them, or are they not even configured by default?

Comment 13 errata-xmlrpc 2022-12-05 21:05:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2022:8792 https://access.redhat.com/errata/RHSA-2022:8792

Comment 14 errata-xmlrpc 2022-12-05 21:06:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:8790 https://access.redhat.com/errata/RHSA-2022:8790

Comment 15 errata-xmlrpc 2022-12-05 21:07:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:8791 https://access.redhat.com/errata/RHSA-2022:8791

Comment 16 errata-xmlrpc 2022-12-05 21:10:25 UTC
This issue has been addressed in the following products:

  EAP 7.4.8 release

Via RHSA-2022:8793 https://access.redhat.com/errata/RHSA-2022:8793

Comment 17 Product Security DevOps Team 2022-12-09 17:02:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2764