Undertow Vulnerability Impacts Wildfly-HTTP-Client Server
CVE-2024-1635

7.5HIGH

Key Information:

Status
Red Hat Build Of Apache Camel 4.4.1 For Spring Boot
Red Hat Fuse 7.13.0
Red Hat Jboss Enterprise Application Platform 7
Vendor
CVE Published:
19 February 2024

Summary

A vulnerability has been identified within Undertow that affects servers utilizing the WildFly HTTP Client protocol. The issue occurs when a malicious actor exploits the behavior of connection handling, causing the server to exhaust its memory and file descriptor limits. This situation arises when a connection is opened and immediately closed at the HTTP port, leading to leaked connections via the WriteTimeoutStreamSinkConduit. Notably, if the RemotingConnection is closed by the Remoting ServerConnectionOpenListener, the connection's outermost layer fails to notify the Undertow conduit of the closure. Consequently, this lack of notification allows the timeout task to continue leaking connections through the XNIO WorkerThread, resulting in a prolonged impact on the server's resource consumption. Organizations are urged to address this vulnerability promptly to safeguard against potential denial-of-service scenarios.

References

https://access.redhat.com/errata/RHSA-2024:1674
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1675
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1676
vendor-advisoryx_refsource_REDHAT

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.