Find, fix and prevent vulnerabilities in your code.

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when parsing multipart uploads, which apply the UndertowOptions.MULTIPART_MAX_ENTITY_SIZE option. An attacker can exhaust system memory by submitting large amounts of form data encoded with application/x-www-form-urlencoded.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.39.Final, 2.3.21.Final, 2.4.0.Beta1 or higher.

References

• GitHub PR
• GitHub PR
• GitHub Release
• Jira Issue
• Red Hat Bugzilla Bug
• Red Hat Security Advisory

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the getParameterNames() function. An attacker can cause an OutOfMemoryError by sending requests with excessively large parameter names.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.39.Final, 2.3.21.Final, 2.4.0.Beta1 or higher.

References

• GitHub Commit
• GitHub Release
• Red Hat Bugzilla Bug
• Red Hat Issues

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling (MadeYouReset) through malformed client requests that trigger repeated server-side stream resets without incrementing abuse counters. An attacker can exhaust server resources by sending specially crafted HTTP/2 requests that cause excessive workload through repeated stream aborts.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.undertow:undertow-core to version 2.2.38.Final, 2.3.20.Final or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Red Hat Bugzilla Bug
• Vulnerability Research

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the MultiPartParserDefinition multipart parsing process in MultiPartParserDefinition.java. An attacker can cause multipart/form-data content from an HTTP GET request to be parsed and prematurely written to disk by sending a request that triggers parameter parsing, such as getParameterMap(), leading to resource exhaustion or unwanted persistence of attacker-controlled data.

Notes

• The issue manifests when an application built on Undertow invokes parameter-parsing methods on a GET request while multipart/form-data content is present.

Remediation

Upgrade io.undertow:undertow-core to version 2.4.0.Beta1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Release
• Red Hat Bugzilla Bug