Resource Exhaustion Vulnerability in Red Hat WildFly
CVE-2016-9589

7.5HIGH

Key Information:

Vendor
Red Hat
Status
Wildfly
Vendor
CVE Published:
12 March 2018

Summary

The Undertow component of Red Hat WildFly prior to version 11.0.0.Beta1 is susceptible to a resource exhaustion vulnerability. This issue arises from the caching mechanism of HTTP headers in persistent connections. An attacker can exploit this vulnerability by continuously sending large amounts of header data, causing the server to fill its memory with excessive garbage data. Such exploitation can lead to a denial of service, impacting the overall stability of the server and performance for legitimate users. The default configuration allows for a potential memory overload due to the caching limits of 'max-headers' (default 200) multiplied by 'max-header-size' (default 1MB) for each active TCP connection.

Affected Version(s)

wildfly 11.0.0.Beta1

References

http://rhn.redhat.com/errata/RHSA-2017-0831.html
vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2017-0876.html
vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2017-0834.html
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.