Bug 2292211 (CVE-2024-5971)
| Summary: | CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anstephe, arnavarr, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, ecerquei, fjuma, fmariani, gmalinko, gsmet, hamadhan, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jpoth, jrokos, kverlaen, lgao, lthon, manderse, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, parichar, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, security-response-team, smaestri, sthorger, tasato, tcunning, tom.jenkinson, tqvarnst, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2292210 | ||
|
Description
Patrick Del Bello
2024-06-13 13:56:06 UTC
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:4392 https://access.redhat.com/errata/RHSA-2024:4392 This issue has been addressed in the following products: Red Hat build of Apache Camel 4.4.1 for Spring Boot Via RHSA-2024:4884 https://access.redhat.com/errata/RHSA-2024:4884 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:5145 https://access.redhat.com/errata/RHSA-2024:5145 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:5143 https://access.redhat.com/errata/RHSA-2024:5143 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://access.redhat.com/errata/RHSA-2024:5144 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5147 https://access.redhat.com/errata/RHSA-2024:5147 When dealing with issues related to Undertow's response write hanging in the context of Java 17 and TLSv1.3's NewSessionTicket, you might be encountering a complex problem that involves the interaction between the web server (Undertow) https://geometrydashbreeze.org This issue has been addressed in the following products: Red Hat build of Apache Camel 3.20.7 for Spring Boot Via RHSA-2024:6883 https://access.redhat.com/errata/RHSA-2024:6883 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://troubleshoot.dev/ https://latestmerch.com/ https://programable/ https://access.redhat.com/errata/RHSA-2024:5144 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://troubleshoot.dev/ https://latestmerch.com/ https://programable.com/ https://access.redhat.com/errata/RHSA-2024:5144 |