Bug 2185662 (CVE-2023-1973) - CVE-2023-1973 undertow: unrestricted request storage leads to memory exhaustion
Summary: CVE-2023-1973 undertow: unrestricted request storage leads to memory exhaustion
Keywords:
Status: NEW
Alias: CVE-2023-1973
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2171939
TreeView+ depends on / blocked
 
Reported: 2023-04-10 20:40 UTC by Chess Hazlett
Modified: 2024-04-23 17:54 UTC (History)
26 users (show)

Fixed In Version: undertow 2.2.32.Final, undertow 2.3.13.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1674 0 None None None 2024-04-04 15:21:06 UTC
Red Hat Product Errata RHSA-2024:1675 0 None None None 2024-04-04 15:20:36 UTC
Red Hat Product Errata RHSA-2024:1676 0 None None None 2024-04-04 15:20:03 UTC
Red Hat Product Errata RHSA-2024:1677 0 None None None 2024-04-04 15:22:53 UTC

Description Chess Hazlett 2023-04-10 20:40:57 UTC 
Undertow's FormAuthenticationMechanism can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
Comment 20 errata-xmlrpc 2024-04-04 15:20:01 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:1676 https://access.redhat.com/errata/RHSA-2024:1676
Comment 21 errata-xmlrpc 2024-04-04 15:20:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1675
Comment 22 errata-xmlrpc 2024-04-04 15:21:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1674
Comment 23 errata-xmlrpc 2024-04-04 15:22:52 UTC 
This issue has been addressed in the following products:

  EAP 7.4.16

Via RHSA-2024:1677 https://access.redhat.com/errata/RHSA-2024:1677
Comment 24 James Howe 2024-04-11 10:18:25 UTC 
Yet another old CVE that has been "addressed" and made public with no Open Source fix released.
https://github.com/undertow-io/undertow

RedHat you are really working hard to make all Undertow users vulnerable.
Note You need to log in before you can comment on or make changes to this bug.