Denial of Service Vulnerability in Narayana LRA Coordinator Component
CVE-2024-8447

5.9MEDIUM

Key Information:

Vendor: Red Hat
Vendor: CVE Published:; 2 January 2025

Summary

A security vulnerability exists within the LRA Coordinator component of the Narayana transaction manager that can lead to significant application disruptions. The flaw arises when the Cancel operation is invoked, resulting in a delay of about 2 seconds. If a Join request is made with the same LRA ID during this interval, it may cause the application to crash or hang indefinitely, resulting in a denial of service. It is crucial for users of affected Narayana versions to implement appropriate mitigations to prevent potential service outages.

References

https://access.redhat.com/security/cve/CVE-2024-8447

https://bugzilla.redhat.com/show_bug.cgi?id=2335206

https://github.com/jbosstm/narayana/pull/2293

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 2, 2025