Bug 2174246 (CVE-2023-1108)

Summary: CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alampare, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, eglynn, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, ivassile, iweiss, janstey, jjoyce, jmartisk, jnethert, jpavlik, jrokos, kverlaen, lbacciot, lgao, lhh, lthon, max.andersen, mburns, mgarciac, mnovotny, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, security-response-team, smaestri, spower, sthorger, tom.jenkinson, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: undertow 2.3.5.Final, undertow 2.2.24.Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-09 23:25:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2174574    
Bug Blocks: 2174243    

Description Paramvir jindal 2023-02-28 23:39:23 UTC 
https://issues.redhat.com/browse/UNDERTOW-2239

A denial-of-service vulnerability found in Undertow :

Latest JDKs from the January 18th release (jdk 11.0.18, and may be jdk 17.0.6) include this change: https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737
Which is suspected to be the cause of an infinite loop in SslConduit here: https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004

Where there is HandshakeStatus.NEED_WRAP but the status is updated to Status.CLOSED (new in this JDK release) so the loop never terminates.
Comment 10 errata-xmlrpc 2023-03-09 19:35:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2023:1184 https://access.redhat.com/errata/RHSA-2023:1184
Comment 11 errata-xmlrpc 2023-03-09 19:38:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1185 https://access.redhat.com/errata/RHSA-2023:1185
Comment 12 Product Security DevOps Team 2023-03-09 23:24:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1108
Comment 14 errata-xmlrpc 2023-03-29 11:41:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514
Comment 15 errata-xmlrpc 2023-03-29 11:42:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513
Comment 16 errata-xmlrpc 2023-03-29 11:44:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512
Comment 17 errata-xmlrpc 2023-03-29 11:46:14 UTC 
This issue has been addressed in the following products:

  EAP 7.4.10 release

Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516
Comment 18 errata-xmlrpc 2023-05-04 15:57:20 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135
Comment 19 errata-xmlrpc 2023-06-27 18:49:26 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
Comment 20 errata-xmlrpc 2023-06-27 18:49:36 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
Comment 21 errata-xmlrpc 2023-06-27 18:49:52 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
Comment 22 errata-xmlrpc 2023-06-27 18:50:24 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
Comment 23 errata-xmlrpc 2023-06-27 18:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
Comment 24 errata-xmlrpc 2023-06-29 20:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 25 errata-xmlrpc 2023-08-16 10:56:06 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
Comment 31 errata-xmlrpc 2025-04-28 00:19:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226