Bug 2264928 (CVE-2024-1635)
| Summary: | CVE-2024-1635 undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adupliak, aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, carnil, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, ecerquei, eric.wittmann, fjansen, fjuma, fmariani, fmongiar, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jnethert, jpoth, jrokos, jscholz, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, pantinor, pcongius, pdrozd, peholase, pesilva, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkubis, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | undertow 2.3.10.SP3, undertow 2.2.30.SP1 | Doc Type: | --- |
| Doc Text: |
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available.
At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2264893 | ||
|
Description
Patrick Del Bello
2024-02-19 17:29:57 UTC
Is there information on the the upstream status for undertow? Is there an upstream issue and/or fixing commit available? @carnil: Please follow up with https://issues.redhat.com/browse/WFLY-18700 and linked issues. This comment was flagged a spam, view the edit history to see the original text if required. Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:1676 https://access.redhat.com/errata/RHSA-2024:1676 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1675 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1674 This issue has been addressed in the following products: EAP 7.4.16 Via RHSA-2024:1677 https://access.redhat.com/errata/RHSA-2024:1677 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:1860 https://access.redhat.com/errata/RHSA-2024:1860 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:1861 https://access.redhat.com/errata/RHSA-2024:1861 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:1862 https://access.redhat.com/errata/RHSA-2024:1862 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:1864 https://access.redhat.com/errata/RHSA-2024:1864 This issue has been addressed in the following products: RHSSO 7.6.8 Via RHSA-2024:1866 https://access.redhat.com/errata/RHSA-2024:1866 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226 |