CVE-2024-8447

Summary

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

Affected Software

VendorProductVersion RangeStatus
0 < 7.1.0.Finalaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:800.6.1-1.GA_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.1.119-1.Final_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.1.119-1.Final_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.0.16-2.redhat_00003.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:8.0.6-15.GA_redhat_00009.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:800.6.1-1.GA_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.1.119-1.Final_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.1.119-1.Final_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.0.16-2.redhat_00003.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:8.0.6-15.GA_redhat_00009.1.el9eap < *unaffected

Weaknesses

  • CWE-833: Deadlock

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References