Bug 2242099 (CVE-2023-5379)

Summary: CVE-2023-5379 undertow: AJP Request closes connection exceeding maxRequestSize
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alampare, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, emingora, fjuma, gmalinko, gsmet, ibek, ikanello, ivassile, iweiss, janstey, jmartisk, jrokos, kverlaen, lbacciot, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rowaters, rruss, rstancel, rsvoboda, sbiarozk, security-response-team, smaestri, sthorger, tom.jenkinson, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2238749    

Description Patrick Del Bello 2023-10-04 11:53:33 UTC
When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked as an error state by mod_cluster in httpd. The problem is that requests exceeding the max-header-size cause JBoss EAP to close the TCP connection without returning an AJP response.

A malicious user could exploit this behavior by repeatedly sending requests that exceed the max-header-size, it causes a denial-of-service attack. This is because mod_proxy_cluster marks JBoss instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding.