Main Vulnerability Database SB2018091111

SB2018091111 - Memory leak in Undertow for Wildfly Application Server

Published: September 11, 2018 Updated: August 13, 2019

Security Bulletin ID SB2018091111

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Memory leak (CVE-ID: CVE-2018-1114)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in URLResource.getLastModified() function in Undertow due to the method closes file descriptors only when they are finalized. A remote attacker can initiate opening of numerous URLs and exhaust all file descriptors, leading to a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2018:2643
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2019:0877
https://bugs.openjdk.java.net/browse/JDK-6956385
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1114
https://issues.jboss.org/browse/UNDERTOW-1338