CVE-2024-5971

Summary

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Affected Software

VendorProductVersion RangeStatus
0 < 2.2.34.Finalaffected
2.3.0.Alpha1 < 2.3.15.Finalaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.2.33-1.SP1_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.2.33-1.SP1_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:2.2.33-1.SP1_redhat_00001.1.el7eap < *unaffected

Weaknesses

  • CWE-674: Uncontrolled Recursion

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References