Lucene search

K
ubuntucveUbuntu.comUB:CVE-2024-1635
HistoryFeb 19, 2024 - 12:00 a.m.

CVE-2024-1635

2024-02-1900:00:00
ubuntu.com
ubuntu.com
7
undertow
vulnerability
server
wildfly-http-client
protocol
http port
memory exhaustion
file limits
connection
leak
remotingconnection
undertow writetimeoutstreamsinkconduit
xnio workerthread
unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%

A vulnerability was found in Undertow. This vulnerability impacts a server
that supports the wildfly-http-client protocol. Whenever a malicious user
opens and closes a connection with the HTTP port of the server and then
closes the connection immediately, the server will end with both memory and
open file limits exhausted at some point, depending on the amount of memory
available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit
leaks connections if RemotingConnection is closed by Remoting
ServerConnectionOpenListener. Because the remoting connection originates in
Undertow as part of the HTTP upgrade, there is an external layer to the
remoting connection. This connection is unaware of the outermost layer when
closing the connection during the connection opening procedure. Hence, the
Undertow WriteTimeoutStreamSinkConduit is not notified of the closed
connection in this scenario. Because WriteTimeoutStreamSinkConduit creates
a timeout task, the whole dependency tree leaks via that task, which is
added to XNIO WorkerThread. So, the workerThread points to the Undertow
conduit, which contains the connections and causes the leak.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%