A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. This issue affects "io.undertow:undertow-core" in versions 1.0.2.Final through 2.2.30.Final, and 2.3.0.Final through 2.3.11.Final.
At HTTP upgrade to remoting, the "WriteTimeoutStreamSinkConduit" leaks connections if "RemotingConnection" is closed by Remoting "ServerConnectionOpenListener". Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow "WriteTimeoutStreamSinkConduit" is not notified of the closed connection in this scenario. Because "WriteTimeoutStreamSinkConduit" creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO "WorkerThread". So, the "workerThread" points to the Undertow conduit, which contains the connections and causes the leak.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Description
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. This issue affects "io.undertow:undertow-core" in versions 1.0.2.Final through 2.2.30.Final, and 2.3.0.Final through 2.3.11.Final.
At HTTP upgrade to remoting, the "WriteTimeoutStreamSinkConduit" leaks connections if "RemotingConnection" is closed by Remoting "ServerConnectionOpenListener". Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow "WriteTimeoutStreamSinkConduit" is not notified of the closed connection in this scenario. Because "WriteTimeoutStreamSinkConduit" creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO "WorkerThread". So, the "workerThread" points to the Undertow conduit, which contains the connections and causes the leak.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Vulnerability ID: CVE-2024-1635
Package Name: io.undertow:undertow-core
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2024-02-19T22:15:00
Current Package Version: 2.0.9.Final
Remediation Upgrade Recommendation: 2.3.16.SP1-redhat-00001
Link To SCA
Reference – NVD link