Infinite loop in sslconduit during close
CVE-2023-1108

7.5HIGH

Key Information:

Vendor

Red Hat
Status
undertow
Red Hat JBoss Enterprise Application Platform 7
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
Vendor
CVE Published:
14 September 2023

What is CVE-2023-1108?

A vulnerability has been identified within Undertow, affecting its SSL Conduit. This flaw stems from an unexpected handshake status update, which can cause an infinite loop, thereby resulting in a Denial of Service. Malicious actors could exploit this vulnerability to prevent legitimate access to the service, leading to disruptions. Users of Undertow are advised to apply the latest patches to mitigate the risk associated with this issue.

Affected Version(s)

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:2.2.22-1.SP3_redhat_00002.1.el8eap

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:7.4.9-6.GA_redhat_00004.1.el8eap

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:2.2.23-1.SP2_redhat_00001.1.el8eap

References

https://access.redhat.com/errata/RHSA-2023:1184
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1185
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1512
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.