Bug 1308465 (CVE-2016-2094) - CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client
Summary: CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL hands...
Status: NEW
Alias: CVE-2016-2094
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160217,repor...
Keywords: Security
Depends On: 1307039
Blocks: 1308466
TreeView+ depends on / blocked
 
Reported: 2016-02-15 09:51 UTC by Adam Mariš
Modified: 2016-04-28 17:42 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service).
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0595 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:55 UTC
Red Hat Product Errata RHSA-2016:0596 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:02 UTC
Red Hat Product Errata RHSA-2016:0597 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:38:09 UTC
Red Hat Product Errata RHSA-2016:0598 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security, bug fix, and enhancement update 2016-04-06 00:37:54 UTC
Red Hat Product Errata RHSA-2016:0599 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 02:20:53 UTC

Description Adam Mariš 2016-02-15 09:51:09 UTC
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1307039

Comment 2 Adam Mariš 2016-02-15 10:03:44 UTC
Acknowledgments:

This issue was discovered by Aaron Ogburn of Red Hat.

Comment 3 Jason Shepherd 2016-02-16 22:59:45 UTC
Undertow in EAP 7 is not vulnerable.  The SSL handshake read does not occupy a thread with Undertow and the handshake read times out as expected by the listener's read-timeout.

Comment 5 errata-xmlrpc 2016-04-05 20:42:24 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html

Comment 6 errata-xmlrpc 2016-04-05 20:43:16 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html

Comment 7 errata-xmlrpc 2016-04-05 20:44:22 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 8 errata-xmlrpc 2016-04-05 20:45:26 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Comment 9 errata-xmlrpc 2016-04-05 22:21:28 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html

Comment 10 errata-xmlrpc 2016-04-28 17:42:21 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 11 errata-xmlrpc 2016-04-28 17:42:57 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html


Note You need to log in before you can comment on or make changes to this bug.