Bug 1780445 (CVE-2019-19343) - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
Summary: CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to hold...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1780446
Blocks: 1698222 1942139
TreeView+ depends on / blocked
 
Reported: 2019-12-06 03:14 UTC by Pedro Sampaio
Modified: 2021-03-23 18:17 UTC (History)
63 users (show)

Fixed In Version: undertow 2.0.25.SP1, jboss-remoting 5.0.14.SP1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-15 17:20:30 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2565 0 None None None 2020-06-15 16:18:48 UTC
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:12:54 UTC

Description Pedro Sampaio 2019-12-06 03:14:59 UTC
A flaw was found in Undertow as shipped in Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service.

References:

https://issues.redhat.com/browse/JBEAP-16695

Comment 1 Pedro Sampaio 2019-12-06 03:15:32 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1780446]

Comment 5 Paramvir jindal 2019-12-17 08:57:45 UTC
Since this issue is fixed in EAP 7.2.4 so the fixed version of jars are :

undertow-core-2.0.25.SP1-redhat-00001.jar
jboss-remoting-5.0.14.SP1-redhat-00001.jar

JDG 7.3.4  ships :
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking JDG as not affected.

Comment 6 Paramvir jindal 2019-12-17 09:03:42 UTC
RHSSO 7.3.5 ships :

RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar
RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar

Which seems to be fixed already so marking RHSSO as not affected.

Comment 7 Salvatore Bonaccorso 2020-01-09 05:44:15 UTC
Hi

Can you confirm, is this an issue which is in undertow actually and fixed there or specific to JBOSS remoting? The CVE seem associated with undertow itself, and according to the subject here a memory leak in the HttpOpenListener. If fixed in undertow, is there a respective upstream issue and fix?

Regards,
Salvatore

Comment 8 Pedro Sampaio 2020-01-09 15:27:33 UTC
(In reply to Salvatore Bonaccorso from comment #7)
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hi Kunjan,

Can you help with this?

Thanks.

Comment 10 Kunjan Rathod 2020-01-21 21:23:53 UTC
In reply to comment #7:
> Hi
> 
> Can you confirm, is this an issue which is in undertow actually and fixed
> there or specific to JBOSS remoting? The CVE seem associated with undertow
> itself, and according to the subject here a memory leak in the
> HttpOpenListener. If fixed in undertow, is there a respective upstream issue
> and fix?
> 
> Regards,
> Salvatore

Hello Salvatore,

The issue appears to affects both Undertow and remoting. However the fix appears to be added in remoting(REM3-347) as it looks to be causing memory Leak in Undertow HttpOpenListener(which appears to hold remoting connections indefinitely). The https://issues.redhat.com/browse/REM3-347 appears to be an upstream issue filed for the same, however I am in discussion with Enigneering to get the final confirmation on the same.

Comment 11 Salvatore Bonaccorso 2020-02-15 13:32:25 UTC
Hi Kunjan,

(In reply to Kunjan Rathod from comment #10)
> The https://issues.redhat.com/browse/REM3-347 appears to be
> an upstream issue filed for the same, however I am in discussion with
> Enigneering to get the final confirmation on the same.

Was there any conclusion on that? And do I interpret it correctly, the issue on undertow side will likely not be fixed?

Thanks for your time!

Regards,
Salvatore

Comment 13 Kunjan Rathod 2020-02-18 21:30:55 UTC
In reply to comment #11:
> Hi Kunjan,
> 
> (In reply to Kunjan Rathod from comment #10)
> > The https://issues.redhat.com/browse/REM3-347 appears to be
> > an upstream issue filed for the same, however I am in discussion with
> > Enigneering to get the final confirmation on the same.
> 
> Was there any conclusion on that? And do I interpret it correctly, the issue
> on undertow side will likely not be fixed?
> 
> Thanks for your time!
> 
> Regards,
> Salvatore

The issue appears to be fixed in both undertow and remoting, however I am communicating/discussing internally to get more details.

Comment 14 Kunjan Rathod 2020-03-11 23:02:19 UTC
In reply to comment #11:
> Hi Kunjan,
> 
> (In reply to Kunjan Rathod from comment #10)
> > The https://issues.redhat.com/browse/REM3-347 appears to be
> > an upstream issue filed for the same, however I am in discussion with
> > Enigneering to get the final confirmation on the same.
> 
> Was there any conclusion on that? And do I interpret it correctly, the issue
> on undertow side will likely not be fixed?
> 
> Thanks for your time!
> 
> Regards,
> Salvatore

The fix was a change in remoting however, it manifested in an Undertow use case, therefore the title correctly mentions undertow as well as remoting.

Comment 20 errata-xmlrpc 2020-06-15 16:18:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565

Comment 21 Product Security DevOps Team 2020-06-15 17:20:30 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19343

Comment 22 errata-xmlrpc 2020-12-16 12:13:13 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568


Note You need to log in before you can comment on or make changes to this bug.