CVE-2024-3653

Summary

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Affected Software

VendorProductVersion RangeStatus
0 <= 2.3.14.Finalaffected
Red HatRed Hat build of Quarkus 3.8.6.redhat5.2.4.redhat-00001 < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.2.33-1.SP1_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.2.33-1.SP1_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:2.2.33-1.SP1_redhat_00001.1.el7eap < *unaffected

Weaknesses

  • CWE-401: Missing Release of Memory after Effective Lifetime

Workarounds

Setting the maxAge configuration is sufficient to prevent the behavior of this vulnerability being explored.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References