CVE-2023-3223

Summary

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.2.25-3.SP3_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.2.25-3.SP3_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:2.2.25-3.SP3_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.9-1.redhat_00001.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.9-1.redhat_00001.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.9-1.redhat_00001.1.el9sso < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-27 < *unaffected

Weaknesses

  • CWE-789: Memory Allocation with Excessive Size Value

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References