Bug 1780445 (CVE-2019-19343) - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
Summary: CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to hold...
Keywords:
Status: NEW
Alias: CVE-2019-19343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1780446
Blocks: 1698222
TreeView+ depends on / blocked
 
Reported: 2019-12-06 03:14 UTC by Pedro Sampaio
Modified: 2020-02-18 21:30 UTC (History)
63 users (show)

Fixed In Version: undertow 2.0.25.SP1, jboss-remoting 5.0.14.SP1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-12-06 03:14:59 UTC
A flaw was found in Undertow as shipped in Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service.

References:

https://issues.redhat.com/browse/JBEAP-16695

Comment 1 Pedro Sampaio 2019-12-06 03:15:32 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1780446]

Comment 5 Paramvir jindal 2019-12-17 08:57:45 UTC
Since this issue is fixed in EAP 7.2.4 so the fixed version of jars are :

undertow-core-2.0.25.SP1-redhat-00001.jar
jboss-remoting-5.0.14.SP1-redhat-00001.jar

JDG 7.3.4  ships :
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking JDG as not affected.

Comment 6 Paramvir jindal 2019-12-17 09:03:42 UTC
RHSSO 7.3.5 ships :

RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking RHSSO as not affected.

Comment 7 Salvatore Bonaccorso 2020-01-09 05:44:15 UTC
Hi

Can you confirm, is this an issue which is in undertow actually and fixed there or specific to JBOSS remoting? The CVE seem associated with undertow itself, and according to the subject here a memory leak in the HttpOpenListener. If fixed in undertow, is there a respective upstream issue and fix?

Regards,
Salvatore

Comment 8 Pedro Sampaio 2020-01-09 15:27:33 UTC
(In reply to Salvatore Bonaccorso from comment #7)
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hi Kunjan,

Can you help with this?

Thanks.

Comment 10 Kunjan Rathod 2020-01-21 21:23:53 UTC
In reply to comment #7:
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hello Salvatore,

The issue appears to affects both Undertow and remoting. However the fix appears to be added in remoting(REM3-347) as it looks to be causing memory Leak in Undertow HttpOpenListener(which appears to hold remoting connections indefinitely). The https://issues.redhat.com/browse/REM3-347 appears to be an upstream issue filed for the same, however I am in discussion with Enigneering to get the final confirmation on the same.

Comment 11 Salvatore Bonaccorso 2020-02-15 13:32:25 UTC
Hi Kunjan,

(In reply to Kunjan Rathod from comment #10)
> The https://issues.redhat.com/browse/REM3-347 appears to be
> an upstream issue filed for the same, however I am in discussion with
> Enigneering to get the final confirmation on the same.

Was there any conclusion on that? And do I interpret it correctly, the issue on undertow side will likely not be fixed?

Thanks for your time!

Regards,
Salvatore

Comment 13 Kunjan Rathod 2020-02-18 21:30:55 UTC
In reply to comment #11:
> Hi Kunjan,
> 
> (In reply to Kunjan Rathod from comment #10)
> > The https://issues.redhat.com/browse/REM3-347 appears to be
> > an upstream issue filed for the same, however I am in discussion with
> > Enigneering to get the final confirmation on the same.
> 
> Was there any conclusion on that? And do I interpret it correctly, the issue
> on undertow side will likely not be fixed?
> 
> Thanks for your time!
> 
> Regards,
> Salvatore

The issue appears to be fixed in both undertow and remoting, however I am communicating/discussing internally to get more details.


Note You need to log in before you can comment on or make changes to this bug.