Infinite loop in JBoss Application Server - CVE-2018-1041
Published: February 6, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU10381
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-1041
CWE-ID: CWE-835
Exploitation vector: Adjecent network
Exploit availability:
Public exploit is available
Vendor: Red Hat Inc.
Affected software:
JBoss Application Server
JBoss Application Server
Detailed vulnerability description
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The weakness exists due to an error when handling malicious input. An adjacent attacker can send specially crafted data to trigger an empty buffer read error in RemoteMessageChannel, consume excessive CPU resources and cause the application to enter an infinite loop and then the service to crash.
The weakness exists due to an error when handling malicious input. An adjacent attacker can send specially crafted data to trigger an empty buffer read error in RemoteMessageChannel, consume excessive CPU resources and cause the application to enter an infinite loop and then the service to crash.
How to mitigate CVE-2018-1041
Install update from vendor's website.