Denial Of Service (DoS)

2019-01-1509:14:29

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

JSON

undertow-core is vulnerable to denial of service attacks. The vulnerability exists when a GET request with very long URL (about 1900 characters) which exceeds the default buffer sizes is sent to the proxy server, it consumes 100% CPU and fills the disk space by generating logs very fast with an infinite loop.

CPENameOperatorVersion
eap7-undertoweq1.3.31__1.Final_redhat_1.1.ep7.el6
eap7-undertoweq1.3.25__1.Final_redhat_1.1.ep7.el7
eap7-undertoweq1.3.21__1.Final_redhat_1.1.ep7.el6
eap7-undertoweq1.3.23__1.Final_redhat_1.1.ep7.el6
eap7-undertoweq1.3.28__4.Final_redhat_4.1.ep7.el6
eap7-undertoweq1.3.25__1.Final_redhat_1.1.ep7.el6
eap7-undertoweq1.3.24__1.Final_redhat_1.1.ep7.el6
eap7-undertoweq1.3.28__4.Final_redhat_4.1.ep7.el7
eap7-undertoweq1.3.31__1.Final_redhat_1.1.ep7.el7
eap7-undertoweq1.3.23__1.Final_redhat_1.1.ep7.el7

Name	Operator	Version
eap7-undertow	eq	1.3.31__1.Final_redhat_1.1.ep7.el6
eap7-undertow	eq	1.3.25__1.Final_redhat_1.1.ep7.el7
eap7-undertow	eq	1.3.21__1.Final_redhat_1.1.ep7.el6
eap7-undertow	eq	1.3.23__1.Final_redhat_1.1.ep7.el6
eap7-undertow	eq	1.3.28__4.Final_redhat_4.1.ep7.el6
eap7-undertow	eq	1.3.25__1.Final_redhat_1.1.ep7.el6
eap7-undertow	eq	1.3.24__1.Final_redhat_1.1.ep7.el6
eap7-undertow	eq	1.3.28__4.Final_redhat_4.1.ep7.el7
eap7-undertow	eq	1.3.31__1.Final_redhat_1.1.ep7.el7
eap7-undertow	eq	1.3.23__1.Final_redhat_1.1.ep7.el7