CVE-2024-1635Uncontrolled Resource Consumption in Redhat Fuse

CWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
7.5HIGHNVD
EPSS
22.7%
top 4.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Redhat UndertowRedhat FuseRedhat Jboss Enterprise Application Platform+4 more
Timeline
PublishedFeb 19
Latest updateApr 15

Description

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

Debianredhat/undertow< 2.3.18-1
NVDredhat/fuse1.0

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

🔴Vulnerability Details

4
GHSA
Undertow Uncontrolled Resource Consumption Vulnerability2024-02-20
OSV
Undertow Uncontrolled Resource Consumption Vulnerability2024-02-20
CVEList
Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol2024-02-19
OSV
CVE-2024-1635: A vulnerability was found in Undertow2024-02-19

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Undertow) — CVE-2024-16352024-04-15
Debian
CVE-2024-1635: undertow - A vulnerability was found in Undertow. This vulnerability impacts a server that ...2024
Red Hat
undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol2023-10-27