Bug 2335206 (CVE-2024-8447)

Summary: CVE-2024-8447 narayana: deadlock via multiple join requests sent to LRA Coordinator
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-01-01 22:51:59 UTC 
Summary: The server crashes when a new Saga Join request is received within 2 seconds of the LRA Coordinator starting to cancel and the status is still "Canceling."

Description:
When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may hang indefinitely or crash. 

References:
https://github.com/jbosstm/narayana/pull/2293
https://issues.redhat.com/browse/JBTM-3911
Comment 2 errata-xmlrpc 2025-03-27 16:40:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:3357 https://access.redhat.com/errata/RHSA-2025:3357
Comment 3 errata-xmlrpc 2025-03-27 16:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2025:3358 https://access.redhat.com/errata/RHSA-2025:3358
Comment 4 errata-xmlrpc 2025-05-14 16:05:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss EAP XP 5.0 Update 2.0

Via RHSA-2025:7620 https://access.redhat.com/errata/RHSA-2025:7620