undertow-dev September 2024

undertow-dev@lists.jboss.org

1 participants
3 discussions

by Thomas Segismont

Hi, Openshift Origin uses Hawkular Metrics to store node and container data. In this scenario, Hawkular Metrics calls the Kubernetes master server over HTTPS to validate the client identity. This is implemented with Undertow Client, as part of a ServletExtension (inside Wildfly 10) [1]. Works fine in development and testing. Now the Openshit team sees errors in the logs [2][3]. I couldn't reproduce yet. Errors come in pair, first the "UT005001: An exception occurred processing the request: java.lang.IllegalStateException: XNIO000017: Buffer was already freed", and just after "XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException". Does that ring a bell? I haven't been able to find a starting point by looking into the source the code. Thanks -- Thomas Segismont JBoss ON Engineering Team [1] https://git.io/vrNyP [2] https://issues.jboss.org/browse/HWKMETRICS-408 [3] https://issues.jboss.org/secure/attachment/12405779/hawkular.log

1 week, 4 days

4
5
0 / 0

Security Vulnerability CVE-2024-7885 in Undertow 2.3.17.Final

by Elemér Zágoni

The Owasp Dependency check plugin found the following Security vulnerability in my app (even the latest 2.3.17.Final is affected): Please address: A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CVSSv3: - Base Score: HIGH (7.5) - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References: - OSSINDEX - [CVE-2024-7885] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') <https://ossindex.sonatype.org/vulnerability/CVE-2024-7885?component-type=...> - OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7885 - OSSIndex - https://access.redhat.com/security/cve/CVE-2024-7885 Vulnerable Software & Versions (OSSINDEX): - cpe:2.3:a:io.undertow:undertow-core:2.3.17.Final:*:*:*:*:*:*:* *CVE-2016-6311* (OSSINDEX) suppress Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CVSSv3: - Base Score: MEDIUM (5.300000190734863) - Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References: - OSSINDEX - [CVE-2016-6311] CWE-200: Information Exposure <https://ossindex.sonatype.org/vulnerability/CVE-2016-6311?component-type=...> - OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6311 - OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1362735 Vulnerable Software & Versions (OSSINDEX): - cpe:2.3:a:io.undertow:undertow-core:2.3.17.Final:*:*:*:*:*:*:* Thanks a lot Elemér.

1 year, 5 months

1
0
0 / 0

2.3.17.Final Security vulnerability: CVE-2024-7885

by Zagoni Elemer

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CVSSv3: Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References: OSSINDEX - [CVE-2024-7885] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7885 OSSIndex - https://access.redhat.com/security/cve/CVE-2024-7885 Vulnerable Software & Versions (OSSINDEX): cpe:2.3:a:io.undertow:undertow-core:2.3.17.Final:*:*:*:*:*:*:* CVE-2016-6311 (OSSINDEX) suppress Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CVSSv3: Base Score: MEDIUM (5.300000190734863) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References: OSSINDEX - [CVE-2016-6311] CWE-200: Information Exposure OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6311 OSSIndex - https://bugzilla.redhat.com/show_bug.cgi?id=1362735 Vulnerable Software & Versions (OSSINDEX): cpe:2.3:a:io.undertow:undertow-core:2.3.17.Final:*:*:*:*:*:*:*

1 year, 5 months

1
0
0 / 0

← Newer
1
Older →

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

undertow-dev September 2024