Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1308465 - (CVE-2016-2094) CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client
CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL hands...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160217,repor...
: Security
Depends On: 1307039
Blocks: 1308466
  Show dependency treegraph
 
Reported: 2016-02-15 04:51 EST by Adam Mariš
Modified: 2016-04-28 13:42 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service).
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0595 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-05 20:39:55 EDT
Red Hat Product Errata RHSA-2016:0596 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-05 20:39:02 EDT
Red Hat Product Errata RHSA-2016:0597 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-05 20:38:09 EDT
Red Hat Product Errata RHSA-2016:0598 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security, bug fix, and enhancement update 2016-04-05 20:37:54 EDT
Red Hat Product Errata RHSA-2016:0599 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-05 22:20:53 EDT

  None (edit)
Description Adam Mariš 2016-02-15 04:51:09 EST
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1307039
Comment 2 Adam Mariš 2016-02-15 05:03:44 EST
Acknowledgments:

This issue was discovered by Aaron Ogburn of Red Hat.
Comment 3 Jason Shepherd 2016-02-16 17:59:45 EST
Undertow in EAP 7 is not vulnerable.  The SSL handshake read does not occupy a thread with Undertow and the handshake read times out as expected by the listener's read-timeout.
Comment 5 errata-xmlrpc 2016-04-05 16:42:24 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
Comment 6 errata-xmlrpc 2016-04-05 16:43:16 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
Comment 7 errata-xmlrpc 2016-04-05 16:44:22 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 8 errata-xmlrpc 2016-04-05 16:45:26 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 9 errata-xmlrpc 2016-04-05 18:21:28 EDT
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
Comment 10 errata-xmlrpc 2016-04-28 13:42:21 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 11 errata-xmlrpc 2016-04-28 13:42:57 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Note You need to log in before you can comment on or make changes to this bug.