Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for undertow. CVE-2024-1635[0]: | A vulnerability was found in Undertow. This vulnerability impacts a | server that supports the wildfly-http-client protocol. Whenever a | malicious user opens and closes a connection with the HTTP port of | the server and then closes the connection immediately, the server | will end with both memory and open file limits exhausted at some | point, depending on the amount of memory available. At HTTP | upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks | connections if RemotingConnection is closed by Remoting | ServerConnectionOpenListener. Because the remoting connection | originates in Undertow as part of the HTTP upgrade, there is an | external layer to the remoting connection. This connection is | unaware of the outermost layer when closing the connection during | the connection opening procedure. Hence, the Undertow | WriteTimeoutStreamSinkConduit is not notified of the closed | connection in this scenario. Because WriteTimeoutStreamSinkConduit | creates a timeout task, the whole dependency tree leaks via that | task, which is added to XNIO WorkerThread. So, the workerThread | points to the Undertow conduit, which contains the connections and | causes the leak. https://bugzilla.redhat.com/show_bug.cgi?id=2264928 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1635 https://www.cve.org/CVERecord?id=CVE-2024-1635 Please adjust the affected versions in the BTS as needed.