A flaw was found in Undertow as shipped in Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. References: https://issues.redhat.com/browse/JBEAP-16695
Created undertow tracking bugs for this issue: Affects: fedora-all [bug 1780446]
Since this issue is fixed in EAP 7.2.4 so the fixed version of jars are : undertow-core-2.0.25.SP1-redhat-00001.jar jboss-remoting-5.0.14.SP1-redhat-00001.jar JDG 7.3.4 ships : JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar JDG/modules/system/layers/base/.overlays/layer-base-jboss-jdg-7.3.4.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar Which seems to be fixed already so marking JDG as not affected.
RHSSO 7.3.5 ships : RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/io/undertow/core/main/undertow-core-2.0.26.SP3-redhat-00001.jar RHSSO/modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/remoting/main/jboss-remoting-5.0.16.Final-redhat-00001.jar Which seems to be fixed already so marking RHSSO as not affected.
Hi Can you confirm, is this an issue which is in undertow actually and fixed there or specific to JBOSS remoting? The CVE seem associated with undertow itself, and according to the subject here a memory leak in the HttpOpenListener. If fixed in undertow, is there a respective upstream issue and fix? Regards, Salvatore
(In reply to Salvatore Bonaccorso from comment #7) > Hi > > Can you confirm, is this an issue which is in undertow actually and fixed > there or specific to JBOSS remoting? The CVE seem associated with undertow > itself, and according to the subject here a memory leak in the > HttpOpenListener. If fixed in undertow, is there a respective upstream issue > and fix? > > Regards, > Salvatore Hi Kunjan, Can you help with this? Thanks.
In reply to comment #7: > Hi > > Can you confirm, is this an issue which is in undertow actually and fixed > there or specific to JBOSS remoting? The CVE seem associated with undertow > itself, and according to the subject here a memory leak in the > HttpOpenListener. If fixed in undertow, is there a respective upstream issue > and fix? > > Regards, > Salvatore Hello Salvatore, The issue appears to affects both Undertow and remoting. However the fix appears to be added in remoting(REM3-347) as it looks to be causing memory Leak in Undertow HttpOpenListener(which appears to hold remoting connections indefinitely). The https://issues.redhat.com/browse/REM3-347 appears to be an upstream issue filed for the same, however I am in discussion with Enigneering to get the final confirmation on the same.
Hi Kunjan, (In reply to Kunjan Rathod from comment #10) > The https://issues.redhat.com/browse/REM3-347 appears to be > an upstream issue filed for the same, however I am in discussion with > Enigneering to get the final confirmation on the same. Was there any conclusion on that? And do I interpret it correctly, the issue on undertow side will likely not be fixed? Thanks for your time! Regards, Salvatore
In reply to comment #11: > Hi Kunjan, > > (In reply to Kunjan Rathod from comment #10) > > The https://issues.redhat.com/browse/REM3-347 appears to be > > an upstream issue filed for the same, however I am in discussion with > > Enigneering to get the final confirmation on the same. > > Was there any conclusion on that? And do I interpret it correctly, the issue > on undertow side will likely not be fixed? > > Thanks for your time! > > Regards, > Salvatore The issue appears to be fixed in both undertow and remoting, however I am communicating/discussing internally to get more details.
In reply to comment #11: > Hi Kunjan, > > (In reply to Kunjan Rathod from comment #10) > > The https://issues.redhat.com/browse/REM3-347 appears to be > > an upstream issue filed for the same, however I am in discussion with > > Enigneering to get the final confirmation on the same. > > Was there any conclusion on that? And do I interpret it correctly, the issue > on undertow side will likely not be fixed? > > Thanks for your time! > > Regards, > Salvatore The fix was a change in remoting however, it manifested in an Undertow use case, therefore the title correctly mentions undertow as well as remoting.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19343
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568