Bug 1308465 (CVE-2016-2094) - CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client
Summary: CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL hands...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2094
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1307039
Blocks: 1308466
TreeView+ depends on / blocked
 
Reported: 2016-02-15 09:51 UTC by Adam Mariš
Modified: 2021-10-21 00:49 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service).
Clone Of:
Environment:
Last Closed: 2021-10-21 00:49:44 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0595 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:55 UTC
Red Hat Product Errata RHSA-2016:0596 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:02 UTC
Red Hat Product Errata RHSA-2016:0597 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:38:09 UTC
Red Hat Product Errata RHSA-2016:0598 0 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security, bug fix, and enhancement update 2016-04-06 00:37:54 UTC
Red Hat Product Errata RHSA-2016:0599 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 02:20:53 UTC

Description Adam Mariš 2016-02-15 09:51:09 UTC 
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1307039
Comment 3 Jason Shepherd 2016-02-16 22:59:45 UTC 
Undertow in EAP 7 is not vulnerable.  The SSL handshake read does not occupy a thread with Undertow and the handshake read times out as expected by the listener's read-timeout.
Comment 5 errata-xmlrpc 2016-04-05 20:42:24 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
Comment 6 errata-xmlrpc 2016-04-05 20:43:16 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
Comment 7 errata-xmlrpc 2016-04-05 20:44:22 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 8 errata-xmlrpc 2016-04-05 20:45:26 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 9 errata-xmlrpc 2016-04-05 22:21:28 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
Comment 10 errata-xmlrpc 2016-04-28 17:42:21 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 11 errata-xmlrpc 2016-04-28 17:42:57 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Note You need to log in before you can comment on or make changes to this bug.