#VU20069 Memory leak in Undertow
Vulnerability identifier: #VU20069
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-401
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Undertow
Server applications /
Web servers
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in URLResource.getLastModified() function in Undertow due to the method closes file descriptors only when they are finalized. A remote attacker can initiate opening of numerous URLs and exhaust all file descriptors, leading to a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Undertow: 2.0.0 - 2.0.4
External links
http://access.redhat.com/errata/RHSA-2018:2643
http://access.redhat.com/errata/RHSA-2018:2669
http://access.redhat.com/errata/RHSA-2019:0877
http://bugs.openjdk.java.net/browse/JDK-6956385
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1114
http://issues.jboss.org/browse/UNDERTOW-1338
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
