Bug 2213639 (CVE-2023-3171) - CVE-2023-3171 eap-7: heap exhaustion via deserialization
Summary: CVE-2023-3171 eap-7: heap exhaustion via deserialization
Keywords:
Status: NEW
Alias: CVE-2023-3171
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2184432
TreeView+ depends on / blocked
 
Reported: 2023-06-08 20:01 UTC by Chess Hazlett
Modified: 2023-11-06 08:29 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5484 0 None None None 2023-10-05 20:21:44 UTC
Red Hat Product Errata RHSA-2023:5485 0 None None None 2023-10-05 20:22:14 UTC
Red Hat Product Errata RHSA-2023:5486 0 None None None 2023-10-05 20:23:26 UTC
Red Hat Product Errata RHSA-2023:5488 0 None None None 2023-10-05 20:18:32 UTC

Description Chess Hazlett 2023-06-08 20:01:39 UTC
It was found that EAP-7 would permit deserialization of certain classes, HashMap and HashTable, which could eventually exhaust the heap. An attacker could use this to conduct a Denial of Service attack targeting these classes.

Comment 5 errata-xmlrpc 2023-10-05 20:18:30 UTC
This issue has been addressed in the following products:

  EAP 7.4.13

Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488

Comment 6 errata-xmlrpc 2023-10-05 20:21:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484

Comment 7 errata-xmlrpc 2023-10-05 20:22:12 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485

Comment 8 errata-xmlrpc 2023-10-05 20:23:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486


Note You need to log in before you can comment on or make changes to this bug.