Bug 2322461 (CVE-2024-49769) - CVE-2024-49769 waitress: Waitress has a denial of service leading to high CPU usage/resource exhaustion
Summary: CVE-2024-49769 waitress: Waitress has a denial of service leading to high CPU...
Keywords:
Status: NEW
Alias: CVE-2024-49769
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2322469 2322470 2322471 2322475 2322476 2322472 2322473 2322474 2322477 2322478 2322481 2324286 2332105 2350664 2350665 2350666
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-29 15:01 UTC by OSIDB Bzimport
Modified: 2025-03-07 18:09 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:1373 0 None None None 2025-02-13 00:17:35 UTC
Red Hat Product Errata RHBA-2025:1376 0 None None None 2025-02-13 00:44:50 UTC
Red Hat Product Errata RHSA-2024:10145 0 None None None 2024-11-26 11:22:47 UTC
Red Hat Product Errata RHSA-2024:10535 0 None None None 2024-12-05 02:22:20 UTC
Red Hat Product Errata RHSA-2024:10815 0 None None None 2024-12-12 02:22:58 UTC
Red Hat Product Errata RHSA-2024:9613 0 None None None 2024-11-19 08:48:55 UTC
Red Hat Product Errata RHSA-2024:9618 0 None None None 2024-11-20 00:54:37 UTC
Red Hat Product Errata RHSA-2024:9623 0 None None None 2024-11-20 04:25:14 UTC
Red Hat Product Errata RHSA-2025:0201 0 None None None 2025-01-09 14:56:17 UTC
Red Hat Product Errata RHSA-2025:1191 0 None None None 2025-02-10 01:05:03 UTC
Red Hat Product Errata RHSA-2025:1192 0 None None None 2025-02-10 01:05:09 UTC

Description OSIDB Bzimport 2024-10-29 15:01:58 UTC 
Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername() waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function. A remote attacker could run waitress out of available sockets with very little resources required. Waitress 3.0.1 contains fixes that remove the race condition.
Comment 1 errata-xmlrpc 2024-11-19 08:48:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:9613 https://access.redhat.com/errata/RHSA-2024:9613
Comment 2 errata-xmlrpc 2024-11-20 00:54:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:9618 https://access.redhat.com/errata/RHSA-2024:9618
Comment 3 errata-xmlrpc 2024-11-20 04:25:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:9623 https://access.redhat.com/errata/RHSA-2024:9623
Comment 4 errata-xmlrpc 2024-11-26 11:22:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:10145 https://access.redhat.com/errata/RHSA-2024:10145
Comment 6 errata-xmlrpc 2024-12-05 02:22:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12
  Ironic content for Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:10535 https://access.redhat.com/errata/RHSA-2024:10535
Comment 7 errata-xmlrpc 2024-12-12 02:22:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:10815 https://access.redhat.com/errata/RHSA-2024:10815
Comment 8 errata-xmlrpc 2025-01-09 14:56:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2025:0201 https://access.redhat.com/errata/RHSA-2025:0201
Comment 9 errata-xmlrpc 2025-02-10 01:05:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1191 https://access.redhat.com/errata/RHSA-2025:1191
Comment 10 errata-xmlrpc 2025-02-10 01:05:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2025:1192 https://access.redhat.com/errata/RHSA-2025:1192
Note You need to log in before you can comment on or make changes to this bug.