Lucene search
RedhatCVELIST:CVE-2024-3653HistoryJul 08, 2024 - 9:21 p.m.
CVE-2024-3653 Undertow: learningpushhandler can lead to remote memory dos attacks
2024-07-0821:21:20
CWE-401
redhat
www.cve.org
8
undertow
vulnerability
learningpushhandler
memory dos
config
maxage
server
overwrite
http request
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
0
Percentile
10.8%
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server’s config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7.1.0",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "undertow",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "eap7-undertow",
"defaultStatus": "affected",
"versions": [
{
"version": "0:2.2.33-1.SP1_redhat_00001.1.el8eap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "eap7-undertow",
"defaultStatus": "affected",
"versions": [
{
"version": "0:2.2.33-1.SP1_redhat_00001.1.el9eap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "eap7-undertow",
"defaultStatus": "affected",
"versions": [
{
"version": "0:2.2.33-1.SP1_redhat_00001.1.el7eap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "undertow",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
]
},
{
"vendor": "Red Hat",
"product": "OpenShift Serverless",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:serverless:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel for Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:camel_quarkus:3"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel for Spring Boot",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:camel_spring_boot:4"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apache Camel - HawtIO",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:rhboac_hawtio:4"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Apicurio Registry",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:service_registry:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of OptaPlanner 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:quarkus:3"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Data Grid 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel K",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:integration:1"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Integration Camel Quarkus",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Data Grid 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "undertow",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "undertow",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse 7",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "undertow",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Fuse Service Works 6",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "undertow",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_fuse_service_works:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "unknown",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
]
},
{
"vendor": "Red Hat",
"product": "streams for Apache Kafka",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "undertow",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:amq_streams:1"
]
}
]Related
veracode
veracode
Configuration Bypass
2024-07-10 06:28:41
cve
cve
CVE-2024-3653
2024-07-08 22:15:02
vulnrichment
vulnrichment
osv
osv
CVE-2024-3653
2024-07-08 22:15:00
Undertow Missing Release of Memory after Effective Lifetime vulnerability
2024-07-09 00:31:40
redhatcve
redhatcve
CVE-2024-3653
2024-07-08 21:20:31
nvd
nvd
CVE-2024-3653
2024-07-08 22:15:02
github
github
Undertow Missing Release of Memory after Effective Lifetime vulnerability
2024-07-09 00:31:40
debiancve
debiancve
CVE-2024-3653
2024-07-08 22:15:02
ubuntucve
ubuntucve
CVE-2024-3653
2024-07-08 00:00:00
redhat
redhat
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
0
Percentile
10.8%
Related for CVELIST:CVE-2024-3653