Memory leak in Undertow

#VU56025 Memory leak in Undertow

Published: 2021-08-22

Vulnerability identifier: #VU56025

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3690

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Undertow
Server applications / Web servers

Vendor: Red Hat Inc.

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing incoming PONG messages. A remote attacker can force the application to leak memory by sending an websocket PONG message and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Undertow: 2.0.0 - 2.2.9

External links
http://issues.redhat.com/browse/UNDERTOW-1935
http://bugzilla.redhat.com/show_bug.cgi?id=1991299

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Communications Cloud Native Core Network Slice Selection Function

Denial of service in Undertow