CVE-2024-3884
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat JBoss Enterprise Application Platform | 2.2.39.Final-redhat-00001 < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | 0:1.4.18-19.SP17_redhat_00001.1.ep7.el7 < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | 0:7.1.14-4.GA_redhat_00003.1.ep7.el7 < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | 0:2.0.41-7.SP8_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | 0:7.3.17-5.GA_redhat_00006.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7 | 0:2.2.39-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 7 | 0:7.4.24-4.GA_redhat_00002.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8 | 0:2.2.39-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8 | 0:7.4.24-4.GA_redhat_00002.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 | 0:2.2.39-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9 | 0:7.4.24-4.GA_redhat_00002.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:1.83.0-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:33.0.0-2.jre_redhat_00003.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:4.0.6-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:1.0.0-3.redhat_00009.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.0.2-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.3.23-1.SP3_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:1.83.0-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:33.0.0-2.jre_redhat_00003.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:4.0.6-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:1.0.0-3.redhat_00009.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.0.2-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.3.23-1.SP3_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:4.0.10-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:1.82.0-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:801.3.0-1.GA_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:1.0.1-3.redhat_00003.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:6.6.36-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:4.0.2-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.5.0-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.3.20-2.SP4_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:8.1.3-4.GA_redhat_00006.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:5.0.12-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.6.6-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:8.1.1-4.GA_redhat_00007.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:4.0.10-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:1.82.0-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:801.3.0-1.GA_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:1.0.1-3.redhat_00003.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:6.6.36-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:4.0.2-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:2.5.0-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:2.3.20-2.SP4_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:8.1.3-4.GA_redhat_00006.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:5.0.12-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:2.6.6-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:8.1.1-4.GA_redhat_00007.1.el9eap < * | unaffected |
Weaknesses
- CWE-20: Improper Input Validation
Workarounds
It is possible to mitigate the vulnerability by performing an upper-level verification to ensure the content size sent server side is within the allowed parameters.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2026:0383
- https://access.redhat.com/errata/RHSA-2026:0384
- https://access.redhat.com/errata/RHSA-2026:0386
- https://access.redhat.com/errata/RHSA-2026:3889
- https://access.redhat.com/errata/RHSA-2026:3891
- https://access.redhat.com/errata/RHSA-2026:3892
- https://access.redhat.com/errata/RHSA-2026:4915
- https://access.redhat.com/errata/RHSA-2026:4916
- https://access.redhat.com/errata/RHSA-2026:4917
- https://access.redhat.com/errata/RHSA-2026:4924
- https://access.redhat.com/errata/RHSA-2026:6011
- https://access.redhat.com/errata/RHSA-2026:6012
- https://access.redhat.com/security/cve/CVE-2024-3884
- https://bugzilla.redhat.com/show_bug.cgi?id=2275287
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.