Bug 1308465 - (CVE-2016-2094) CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client
CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL hands...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160217,repor...
: Security
Depends On: 1307039
Blocks: 1308466
  Show dependency treegraph
 
Reported: 2016-02-15 04:51 EST by Adam Mariš
Modified: 2016-04-28 13:42 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service).
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-15 04:51:09 EST
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1307039
Comment 2 Adam Mariš 2016-02-15 05:03:44 EST
Acknowledgments:

This issue was discovered by Aaron Ogburn of Red Hat.
Comment 3 Jason Shepherd 2016-02-16 17:59:45 EST
Undertow in EAP 7 is not vulnerable.  The SSL handshake read does not occupy a thread with Undertow and the handshake read times out as expected by the listener's read-timeout.
Comment 5 errata-xmlrpc 2016-04-05 16:42:24 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
Comment 6 errata-xmlrpc 2016-04-05 16:43:16 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
Comment 7 errata-xmlrpc 2016-04-05 16:44:22 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 8 errata-xmlrpc 2016-04-05 16:45:26 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 9 errata-xmlrpc 2016-04-05 18:21:28 EDT
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
Comment 10 errata-xmlrpc 2016-04-28 13:42:21 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 11 errata-xmlrpc 2016-04-28 13:42:57 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Note You need to log in before you can comment on or make changes to this bug.