Bug 2272325 (CVE-2024-4109)

Summary: CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aileenc, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmiranda, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, ecerquei, fjuma, fmariani, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jkoops, jpoth, jrokos, kverlaen, lgao, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, parichar, pcongius, pdelbell, pdrozd, peholase, pesilva, pjindal, pmackay, pskopek, rguimara, rmartinc, rowaters, rstancel, rstepani, security-response-team, smaestri, sthorger, tasato, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A vulnerability has been identified in the Undertow package where the readHpackString method may incorrectly reuse an HTTP request header value from a previous stream for a new request on the same HTTP/2 connection due to improper handling of the stringBuilder field. While this typically results in an error and connection termination, an attacker could potentially exploit this flaw to leak sensitive information between requests within the same connection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2267158    
Deadline: 2024-12-10   

Description Robb Gatica 2024-03-30 21:52:57 UTC 
Description:
Product Security received a report that Undertow might incorrectly re-use an HTTP request header value from a previous stream for a request associated with a subsequent stream on the same HTTP/2 connection. The issue is linked to the readHpackString method and its interaction with the stringBuilder field. While such behavior typically results in an error followed by the termination of the HTTP/2 connection, it presents a potential vector for information leakage between requests.

The original reporter referenced a similar issue in Apache Tomcat (CVE-2020-17527). In the patch for that vulnerability (https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb) a StringBuilder field was improperly reused across multiple requests, leading to this issue. In the io.undertow.protocols.http2.HpackDecoder class of Undertow, within the readHpackString method, there is a code pattern identical to the one mentioned:

```
for (int i = 0; i < length; ++i) {
stringBuilder.append((char) buffer.get());
}
String ret = stringBuilder.toString();
stringBuilder.setLength(0);
if (ret.isEmpty()) {
//return the interned empty string, rather than allocating a new one each time
return "";
}
```

Steps to reproduce:
No reproducers or PoC were provided, this issue was identified through static testing. 

Affected versions:  2.2.x, 2.3.x, and 3.x
Comment 7 errata-xmlrpc 2024-12-10 17:05:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:10929 https://access.redhat.com/errata/RHSA-2024:10929
Comment 8 errata-xmlrpc 2024-12-10 17:06:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:10928 https://access.redhat.com/errata/RHSA-2024:10928
Comment 9 errata-xmlrpc 2024-12-10 17:06:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:10927 https://access.redhat.com/errata/RHSA-2024:10927
Comment 10 errata-xmlrpc 2024-12-10 17:15:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.20

Via RHSA-2024:10933 https://access.redhat.com/errata/RHSA-2024:10933
Comment 11 errata-xmlrpc 2024-12-19 14:37:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2024:11560 https://access.redhat.com/errata/RHSA-2024:11560
Comment 12 errata-xmlrpc 2024-12-19 14:37:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2024:11559 https://access.redhat.com/errata/RHSA-2024:11559
Comment 13 errata-xmlrpc 2024-12-19 14:54:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:11570 https://access.redhat.com/errata/RHSA-2024:11570