#VU69919 Resource management error in Undertow


Published: 2022-12-06

Vulnerability identifier: #VU69919

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2764

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Undertow
Server applications / Web servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in the UndertowInputStream.close() method related to EJB invocations. A remote attacker can force the application to keep the connection open and consume all available server resources.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Undertow: 2.0.0 - 2.3.0 Alpha2

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2117506
http://issues.redhat.com/browse/UNDERTOW-2048

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Single Sign-On 7.6
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 7
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 8
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for RHEL 9
Multiple vulnerabilities in Red Hat Single Sign-On 7.6 for OpenShift
Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7 update for undertow
Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8 update for undertow
JBoss Enterprise Application Platform 7.4 for RHEL 9 update for undertow
Denial of service in Red Hat JBoss Enterprise Application Platform 7.4
Denial of service in Undertow