CVE-2023-5379

2023-12-1200:00:00

ubuntu.com

undertow

ajp request

max-header-size

jboss eap

mod_cluster

mod_proxy_cluster

denial of service

dos

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

21.2%

JSON

A flaw was found in Undertow. When an AJP request is sent that exceeds the
max-header-size attribute in ajp-listener, JBoss EAP is marked in an error
state by mod_cluster in httpd, causing JBoss EAP to close the TCP
connection without returning an AJP response. This happens because
mod_proxy_cluster marks the JBoss EAP instance as an error worker when the
TCP connection is closed from the backend after sending the AJP request
without receiving an AJP response, and stops forwarding. This issue could
allow a malicious user could to repeatedly send requests that exceed the
max-header-size, causing a Denial of Service (DoS).

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchundertow< anyUNKNOWN
ubuntu20.04noarchundertow< anyUNKNOWN
ubuntu22.04noarchundertow< anyUNKNOWN
ubuntu24.04noarchundertow< anyUNKNOWN
ubuntu16.04noarchundertow< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	undertow	< any	UNKNOWN
ubuntu	20.04	noarch	undertow	< any	UNKNOWN
ubuntu	22.04	noarch	undertow	< any	UNKNOWN
ubuntu	24.04	noarch	undertow	< any	UNKNOWN
ubuntu	16.04	noarch	undertow	< any	UNKNOWN