1144210 – (CVE-2014-3648) CVE-2014-3648 JBoss AeroGear: DDoS via deviceToken

Bug 1144210 (CVE-2014-3648) - CVE-2014-3648 JBoss AeroGear: DDoS via deviceToken

Summary: CVE-2014-3648 JBoss AeroGear: DDoS via deviceToken

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-3648
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-19 02:52 UTC by Trevor Jay
Modified:	2022-07-12 12:21 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-26 20:02:58 UTC
Embargoed:

Attachments	(Terms of Use)

Description Trevor Jay 2014-09-19 02:52:06 UTC

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled.

If an attacker registers bogus applications with bad deviceTokens, they can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints they control.

Similarly, attackers can provide whatever HTTP end point they want. Using the server as a DDOS and malware vector.

Comment 1 Arun Babu Neelicattu 2014-09-29 05:23:13 UTC

Upstream Issue:

https://issues.jboss.org/browse/AEROGEAR-1515

Comment 2 Trevor Jay 2014-09-29 05:44:51 UTC

Statement:

Not Vulnerable. Aerogear is not provided by any Red Hat product.

Note You need to log in before you can comment on or make changes to this bug.