CVE-2016-9589

CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

7.5HIGH

EPSS

2.2%

top 15.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Wildfly Application Server RED Hat, Inc. Wildfly

Timeline

PublishedMar 12

Latest updateMay 13

Description

Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.wildfly:wildfly-undertow< 11.0.0.Beta1

▶NVDredhat/jboss_wildfly_application_server10.1.0+1

▶CVEListV5red_hat,_inc./wildfly11.0.0.Beta1

🔴Vulnerability Details

GHSA

Red Hat Wildfly DoS↗2022-05-13

▶

OSV

Red Hat Wildfly DoS↗2022-05-13

▶

CVEList

CVE-2016-9589: Undertow in Red Hat wildfly before version 11↗2018-03-12

▶

📋Vendor Advisories

Red Hat

wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage↗2017-03-22

▶

💬Community

Bugzilla

CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage↗2016-12-14

▶