All the vulnerabilites related to Red Hat - Red Hat build of Apache Camel 4.4.1 for Spring Boot
cve-2024-1023
Vulnerability from cvelistv5
Published
2024-03-27 07:51
Modified
2024-11-15 21:03
Severity ?
EPSS score ?
Summary
Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1662 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1706 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2088 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2833 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3989 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1023 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2260840 | issue-tracking, x_refsource_REDHAT | |
https://github.com/eclipse-vertx/vert.x/issues/5078 | ||
https://github.com/eclipse-vertx/vert.x/pull/5080 | ||
https://github.com/eclipse-vertx/vert.x/pull/5082 |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1023", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:46:25.667630Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-01T15:37:55.153Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:26:30.343Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1023" }, { "name": "RHBZ#2260840", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/issues/5078" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/pull/5080" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/pull/5082" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://mvnrepository.com/artifact/io.vertx", "defaultStatus": "unaffected", "packageName": "vertx-core", "versions": [ { "status": "affected", "version": "4.4.5" }, { "status": "affected", "version": "4.4.6" }, { "status": "affected", "version": "4.5.0" }, { "status": "affected", "version": "4.5.1" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "CEQ 3.2", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-7", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" ], "defaultStatus": "affected", "packageName": "mta/mta-windup-addon-rhel9", "product": "MTA-6.2-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "6.2.3-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat AMQ Streams 2.7.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2::el8" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus 3.2.11.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.8.redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2.5" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "RHINT Service Registry 2.5.11 GA", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Migration Toolkit for Runtimes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "datePublic": "2024-01-26T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-119", "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:03:27.370Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1023" }, { "name": "RHBZ#2260840", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840" }, { "url": "https://github.com/eclipse-vertx/vert.x/issues/5078" }, { "url": "https://github.com/eclipse-vertx/vert.x/pull/5080" }, { "url": "https://github.com/eclipse-vertx/vert.x/pull/5082" } ], "timeline": [ { "lang": "en", "time": "2024-01-29T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-01-26T00:00:00+00:00", "value": "Made public." } ], "title": "Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1023", "datePublished": "2024-03-27T07:51:15.716Z", "dateReserved": "2024-01-29T10:54:44.360Z", "dateUpdated": "2024-11-15T21:03:27.370Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1300
Vulnerability from cvelistv5
Published
2024-04-02 07:33
Modified
2024-11-15 21:03
Severity ?
EPSS score ?
Summary
Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1662 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1706 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1923 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2088 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2833 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3989 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1300 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2263139 | issue-tracking, x_refsource_REDHAT | |
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni. |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1300", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-02T15:16:36.592165Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T19:53:23.394Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:33:25.527Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:1923", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1923" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1300" }, { "name": "RHBZ#2263139", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139" }, { "tags": [ "x_transferred" ], "url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni." } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://vertx.io/docs/vertx-core/java/", "defaultStatus": "unaffected", "packageName": "io.vertx:vertx-core", "versions": [ { "lessThanOrEqual": "4.5.2", "status": "affected", "version": "4.3.4", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "CEQ 3.2", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-7", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-operator-bundle", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-18", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-rhel8-operator", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-11", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-12", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-executor-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-10", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" ], "defaultStatus": "affected", "packageName": "mta/mta-windup-addon-rhel9", "product": "MTA-6.2-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "6.2.3-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat AMQ Streams 2.7.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2::el8" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus 3.2.11.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.8.redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2.5" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "RHINT Service Registry 2.5.11 GA", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "datePublic": "2024-02-06T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:03:29.385Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:1923", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1923" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1300" }, { "name": "RHBZ#2263139", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139" }, { "url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni." } ], "timeline": [ { "lang": "en", "time": "2024-02-07T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-02-06T00:00:00+00:00", "value": "Made public." } ], "title": "Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1300", "datePublished": "2024-04-02T07:33:05.215Z", "dateReserved": "2024-02-07T07:11:11.156Z", "dateUpdated": "2024-11-15T21:03:29.385Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-6162
Vulnerability from cvelistv5
Published
2024-06-20 14:33
Modified
2024-11-15 21:04
Severity ?
EPSS score ?
Summary
Undertow: url-encoded request path information can be broken on ajp-listener
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1194 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4386 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-6162 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2293069 | issue-tracking, x_refsource_REDHAT | |
https://issues.redhat.com/browse/JBEAP-26268 |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-6162", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-20T16:12:01.298919Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T16:12:42.628Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T21:33:05.087Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-6162" }, { "name": "RHBZ#2293069", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/undertow-io/undertow", "packageName": "undertow", "versions": [ { "lessThan": "2.2.33.Final", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.3.14", "status": "affected", "version": "2.3.0.Alpha1", "versionType": "custom" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0" ], "defaultStatus": "unaffected", "product": "EAP 8.0.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhboac_hawtio:4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel - HawtIO", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" } ], "datePublic": "2024-06-19T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:04:35.335Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1194", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1194" }, { "name": "RHSA-2024:4386", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4386" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-6162" }, { "name": "RHBZ#2293069", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069" }, { "url": "https://issues.redhat.com/browse/JBEAP-26268" } ], "timeline": [ { "lang": "en", "time": "2024-06-19T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-06-19T00:00:00+00:00", "value": "Made public." } ], "title": "Undertow: url-encoded request path information can be broken on ajp-listener", "workarounds": [ { "lang": "en", "value": "To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url=\"false\" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests." } ], "x_redhatCweChain": "CWE-362-\u003eCWE-400: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) leads to Uncontrolled Resource Consumption" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-6162", "datePublished": "2024-06-20T14:33:10.342Z", "dateReserved": "2024-06-19T12:35:30.284Z", "dateUpdated": "2024-11-15T21:04:35.335Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-5971
Vulnerability from cvelistv5
Published
2024-07-08 20:51
Modified
2024-11-15 21:04
Severity ?
EPSS score ?
Summary
Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:4392 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5143 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5144 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5145 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5147 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:6508 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:6883 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-5971 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2292211 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-5971", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-09T14:48:10.532625Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-09T14:48:19.006Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-28T15:02:51.331Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:4392", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4392" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-5971" }, { "name": "RHBZ#2292211", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211" }, { "url": "https://security.netapp.com/advisory/ntap-20240828-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/undertow-io/undertow", "packageName": "undertow", "versions": [ { "lessThan": "2.2.34.Final", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.3.15.Final", "status": "affected", "version": "2.3.0.Alpha1", "versionType": "custom" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:3.20.7" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.2" ], "defaultStatus": "unaffected", "product": "Red Hat build of Apache Camel 4.4.2 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhboac_hawtio:4" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel - HawtIO", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-undertow", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" } ], "datePublic": "2024-07-08T20:46:55+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "description": "Uncontrolled Recursion", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:04:09.370Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:4392", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4392" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "name": "RHSA-2024:5143", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5143" }, { "name": "RHSA-2024:5144", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5144" }, { "name": "RHSA-2024:5145", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5145" }, { "name": "RHSA-2024:5147", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5147" }, { "name": "RHSA-2024:6508", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6508" }, { "name": "RHSA-2024:6883", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6883" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-5971" }, { "name": "RHBZ#2292211", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211" } ], "timeline": [ { "lang": "en", "time": "2024-06-13T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-07-08T20:46:55+00:00", "value": "Made public." } ], "title": "Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-674: Uncontrolled Recursion" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-5971", "datePublished": "2024-07-08T20:51:29.223Z", "dateReserved": "2024-06-13T13:50:13.855Z", "dateUpdated": "2024-11-15T21:04:09.370Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }