Bug 2241822 (CVE-2023-5685)

Summary:	CVE-2023-5685 xnio: StackOverflowException when the chain of notifier states becomes problematically big
Product:	[Other] Security Response	Reporter:	Patrick Del Bello <pdelbell>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	aileenc, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, carnil, cdewolf, chazlett, cmiranda, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, ecerquei, fjuma, fmariani, gmalinko, ibek, ivassile, iweiss, james, janstey, jpoth, jrokos, kverlaen, lgao, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, parichar, pcongius, pdrozd, peholase, pjindal, pmackay, pskopek, rguimara, rowaters, rstancel, security-response-team, smaestri, sthorger, tasato, tcunning, tom.jenkinson, yfang
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	xnio 3.8.14, xnio 3.8.12.SP1, xnio 3.8.11.SP1	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2241803

Description Patrick Del Bello 2023-10-02 20:16:31 UTC

A flaw was found under XNIO. XNIO NotifierState can cause StackOverflowException when the chain of notifier states becomes problematically big and that may lead to an uncontrolled resource management and lead to a possible Denial of Service (DoS).

Comment 5 James Howe 2024-03-07 14:29:57 UTC

> xnio 3.8.14

When will this release be available? It's not yet in Maven Central, for example.

Comment 6 Salvatore Bonaccorso 2024-03-10 14:18:16 UTC

Hi

Can you provide a reference to the upstream commit fixing this issue? While there seems to be a preparation commit for the next 3.8.14.Final in https://github.com/xnio/xnio/commit/9b3ce71411688969cb455e5c1b62dce8303bd80e I could not find something related to this description.

Is there an upstream (public) issue for this?

Comment 7 Patrick Del Bello 2024-03-13 17:01:30 UTC

Hi @carnil,

I just checked with the maintainers. Please watch this page https://issues.redhat.com/browse/WFCORE-6738
The details will be added as their are working in a backport

Comment 8 James Howe 2024-03-21 12:46:59 UTC

The work was done here: https://issues.redhat.com/browse/XNIO-423

The problem is these `next` calls: https://github.com/xnio/xnio/blob/3.8.13.Final/api/src/main/java/org/xnio/AbstractIoFuture.java#L249

Release 3.8.14 (https://issues.redhat.com/projects/XNIO/versions/12423148) does not currently have an estimated release date.

Comment 9 StevenSantiago 2024-04-09 05:03:09 UTC Comment hidden (spam)

Nice info. https://tunnelrush3.com  instead of my thanks.

Comment 13 errata-xmlrpc 2024-05-06 14:10:19 UTC

This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.4.0 for Spring Boot

Via RHSA-2024:2707 https://access.redhat.com/errata/RHSA-2024:2707

Comment 14 jaydenz 2024-07-10 07:30:18 UTC Comment hidden (spam)

I would be interested in Release 3.8.14 (https://issues.redhat.com/projects/XNIO/versions/12423148) https://bobtherobber.io
Hope there will be a new update soon

Comment 15 James Howe 2024-07-10 10:01:28 UTC Comment hidden (obsolete)

(In reply to jaydenz from comment #14)
> I would be interested in Release 3.8.14
> (https://issues.redhat.com/projects/XNIO/versions/12423148)
> https://bobtherobber.io
> Hope there will be a new update soon

It was released months ago: https://repo1.maven.org/maven2/org/jboss/xnio/xnio-all/3.8.14.Final/

Comment 16 Kaden Compton 2024-09-17 07:35:30 UTC Comment hidden (spam)

(In reply to James Howe from comment #8)
> Công việc được thực hiện tại đây: https://issues.redhat.com/browse/XNIO-423
>  
> Vấn đề là các lệnh gọi `next` này:
> https://github.com/xnio/xnio/blob/3.8.13.Final/api/src/main/java/org/xnio/
> AbstractIoFuture.java#L249
>  https://fireboy-andwatergirl.io
> Phiên bản 3.8.14 ( https://issues.redhat.com/projects/XNIO/versions/12423148
> ) hiện chưa có ngày phát hành dự kiến.

The issue involves the XNIO NotifierState, which can lead to a Stack Overflow Exception when the chain of notifier states becomes excessively large. This happens because the system is unable to handle the large recursive chain, which in turn could result in uncontrolled resource management. As a consequence, this could lead to a Denial of Service (DoS) attack due to the overconsumption of system resources.

Comment 18 errata-xmlrpc 2024-11-25 00:10:37 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2024:10208 https://access.redhat.com/errata/RHSA-2024:10208

Comment 19 errata-xmlrpc 2024-11-25 00:11:42 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207

Comment 23 tamilyogifree 2025-04-17 18:29:57 UTC Comment hidden (spam)

You can download Lightroom mod apk from our website https://lrmodapk.net/

Comment 24 VMUSIC 2025-04-18 19:30:14 UTC Comment hidden (spam)

download VImusic apk from our website https://vimusics.net/