Skip to main content

Uncontrolled Resource Consumption

CVE-2024-1635

Severity High
Score 7.5/10

Summary

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. This issue affects "io.undertow:undertow-core" in versions 1.0.2.Final through 2.2.30.Final, and 2.3.0.Final through 2.3.11.Final. At HTTP upgrade to remoting, the "WriteTimeoutStreamSinkConduit" leaks connections if "RemotingConnection" is closed by Remoting "ServerConnectionOpenListener". Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow "WriteTimeoutStreamSinkConduit" is not notified of the closed connection in this scenario. Because "WriteTimeoutStreamSinkConduit" creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO "WorkerThread". So, the "workerThread" points to the Undertow conduit, which contains the connections and causes the leak.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-400 - Uncontrolled resource consumption

An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.

Advisory Timeline

  • Published