2241822 – (CVE-2023-5685) CVE-2023-5685 xnio: StackOverflowException when the chain of notifier states becomes problematically big

Bug 2241822 (CVE-2023-5685) - CVE-2023-5685 xnio: StackOverflowException when the chain of notifier states becomes problematically big

Summary: CVE-2023-5685 xnio: StackOverflowException when the chain of notifier states ...

Keywords:
Status:	NEW
Alias:	CVE-2023-5685
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2241803
TreeView+	depends on / blocked

Reported:	2023-10-02 20:16 UTC by Patrick Del Bello
Modified:	2024-04-18 15:59 UTC (History)
CC List:	57 users (show)
Fixed In Version:	xnio 3.8.14, xnio 3.8.12.SP1, xnio 3.8.11.SP1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-10-02 20:16:31 UTC

A flaw was found under XNIO. XNIO NotifierState can cause StackOverflowException when the chain of notifier states becomes problematically big and that may lead to an uncontrolled resource management and lead to a possible Denial of Service (DoS).

Comment 5 James Howe 2024-03-07 14:29:57 UTC

> xnio 3.8.14

When will this release be available? It's not yet in Maven Central, for example.

Comment 6 Salvatore Bonaccorso 2024-03-10 14:18:16 UTC

Hi

Can you provide a reference to the upstream commit fixing this issue? While there seems to be a preparation commit for the next 3.8.14.Final in https://github.com/xnio/xnio/commit/9b3ce71411688969cb455e5c1b62dce8303bd80e I could not find something related to this description.

Is there an upstream (public) issue for this?

Comment 7 Patrick Del Bello 2024-03-13 17:01:30 UTC

Hi @carnil,

I just checked with the maintainers. Please watch this page https://issues.redhat.com/browse/WFCORE-6738
The details will be added as their are working in a backport

Comment 8 James Howe 2024-03-21 12:46:59 UTC

The work was done here: https://issues.redhat.com/browse/XNIO-423

The problem is these `next` calls: https://github.com/xnio/xnio/blob/3.8.13.Final/api/src/main/java/org/xnio/AbstractIoFuture.java#L249

Release 3.8.14 (https://issues.redhat.com/projects/XNIO/versions/12423148) does not currently have an estimated release date.

Comment 9 StevenSantiago 2024-04-09 05:03:09 UTC

Nice info. https://tunnelrush3.com  instead of my thanks.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
carnil
cdewolf
chazlett
cmiranda
darran.lofthouse
dhanak
dkreling
dosoudil
dpalmer
drichtar
ecerquei
fjuma
fmariani
gmalinko
ibek
ivassile
iweiss
james
janstey
jpoth
jrokos
kamryncole1963
kverlaen
lgao
lhein
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
parichar
pcongius
pdrozd
peholase
pjindal
pmackay
porcelli
pskopek
rguimara
rowaters
rstancel
security-response-team
smaestri
sthorger
sveres
tasato
tcunning
tom.jenkinson
yfang