Denial of service in Undertow

Published: 2022-10-05

Risk	Medium
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2022-1259
CWE-ID	CWE-400
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Undertow Server applications / Web servers
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU67947

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1259

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to an incomplete fix for #VU58177 (CVE-2021-3629).

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Undertow: 2.0.0 - 2.3.0 Alpha2

Fixed software versions

CPE2.3

cpe:2.3:a:red_hat:undertow:2.3.0:Alpha2:*:*:*:wildfly_core:*:*

External links

http://bugzilla.redhat.com/show_bug.cgi?id=2072339

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?