Bug 1376646 (CVE-2016-7046) - CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS
Summary: CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflo...
Status: NEW
Alias: CVE-2016-7046
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160915,repo...
Keywords: Security
Depends On:
Blocks: 1376426 1380270 1520314
TreeView+ depends on / blocked
 
Reported: 2016-09-16 03:49 UTC by Timothy Walsh
Modified: 2019-06-08 21:26 UTC (History)
18 users (show)

(edit)
It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2640 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.3 on RHEL 6 2016-11-03 21:32:41 UTC
Red Hat Product Errata RHSA-2016:2641 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.3 for RHEL 7 2016-11-03 21:32:11 UTC
Red Hat Product Errata RHSA-2016:2642 normal SHIPPED_LIVE Important: jboss-ec2-eap package for EAP 7.0.3 2016-11-03 21:52:35 UTC
Red Hat Product Errata RHSA-2016:2657 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.3 2016-11-04 19:37:41 UTC
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC

Description Timothy Walsh 2016-09-16 03:49:31 UTC
A long URL when sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a DoS.

A long URL (about 1900 characters) is sent, the proxy server

    return error 500 (that's ok)
    starts to consume 100% CPU
    starts to fill logs log file with exceptions very fast (so disk space gets exhausted quickly)
    E.g. some infinite loop is initiated by the request. Proxy server must be restarted to stop the problem.

Comment 6 errata-xmlrpc 2016-11-04 09:10:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:2641 https://rhn.redhat.com/errata/RHSA-2016-2641.html

Comment 7 errata-xmlrpc 2016-11-04 09:10:18 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:2640 https://rhn.redhat.com/errata/RHSA-2016-2640.html

Comment 8 errata-xmlrpc 2016-11-04 09:10:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:2642 https://rhn.redhat.com/errata/RHSA-2016-2642.html

Comment 9 errata-xmlrpc 2016-11-04 15:38:34 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2657 https://rhn.redhat.com/errata/RHSA-2016-2657.html

Comment 12 errata-xmlrpc 2017-12-13 17:33:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 13 errata-xmlrpc 2017-12-13 18:19:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 14 errata-xmlrpc 2017-12-13 18:41:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 15 errata-xmlrpc 2017-12-13 18:46:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458


Note You need to log in before you can comment on or make changes to this bug.