Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-1635 (High) detected in undertow-core-1.4.21.Final.jar #263

Open
mend-bolt-for-github bot opened this issue Apr 11, 2024 · 0 comments
Open

CVE-2024-1635 (High) detected in undertow-core-1.4.21.Final.jar #263

mend-bolt-for-github bot opened this issue Apr 11, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

CVE-2024-1635 - High Severity Vulnerability

Vulnerable Library - undertow-core-1.4.21.Final.jar

Undertow

Library home page: http://www.jboss.org/

Path to dependency file: /DemoApplication/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/io.undertow/undertow-core/1.4.21.Final/5b090ee5bc041d1515be2e78687a868424495a73/undertow-core-1.4.21.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-undertow-1.5.9.RELEASE.jar (Root Library)
    • undertow-core-1.4.21.Final.jar (Vulnerable Library)

Found in HEAD commit: de2586fa2a022011c9940939b5ce1148441d3a68

Found in base branch: master

Vulnerability Details

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available.

At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

Publish Date: 2024-02-19

URL: CVE-2024-1635

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=2264928

Release Date: 2024-02-19

Fix Resolution (io.undertow:undertow-core): 2.2.31.Final

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 3.0.0

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants