#VU63159 Allocation of Resources Without Limits or Throttling in XNIO


Published: 2022-05-13 | Updated: 2023-08-17

Vulnerability identifier: #VU63159

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0084

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
XNIO
Universal components / Libraries / Libraries used by multiple products

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to notifyReadClosed method from main/java/org/xnio/StreamConnection.java logs data into debug log instead of stderr. As a result, an attacker can trigger the application to log enormous amount of data and consume all available space.

Mitigation
Install update from vendor's website.

Vulnerable software versions

XNIO: 3.8.6 - 3.8.7

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2064226

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Allocation of resources without limits or throttling in IBM InfoSphere Information Server
Multiple vulnerabilities in Oracle Communications Cloud Native Core Console
Multiple vulnerabilities in Red Hat Single Sign-On 7.6
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 on RHEL 7
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 on RHEL 8
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 on RHEL 9
Red Hat Single Sign-On 7.5 on RHEL 7 update for keycloak
Red Hat Single Sign-On 7.5 on RHEL 8 update for keycloak
Multiple vulnerabilities in Red Hat Single Sign-On 7.5
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform