CVE-2016-2094
First published: Mon Feb 15 2016(Updated: )
It was reported that HTTPS NIO connector uses no timeout when reading SSL handshake from a client to tie up a thread on the server just by creating a socket. Attacker could create socket and then never sends the handshake or any data at all, which causes the thread to remain occupied indefinitely so long as the socket remains open. Product bug: <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=1307039">https://bugzilla.redhat.com/show_bug.cgi?id=1307039</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform | =6.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1307039
- https://rhn.redhat.com/errata/RHSA-2016-0598.html
- https://rhn.redhat.com/errata/RHSA-2016-0597.html
- https://rhn.redhat.com/errata/RHSA-2016-0596.html
- https://rhn.redhat.com/errata/RHSA-2016-0595.html
- https://rhn.redhat.com/errata/RHSA-2016-0599.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1308465
- http://rhn.redhat.com/errata/RHSA-2016-0595.html
- http://rhn.redhat.com/errata/RHSA-2016-0596.html
- http://rhn.redhat.com/errata/RHSA-2016-0597.html
- http://rhn.redhat.com/errata/RHSA-2016-0598.html
- http://rhn.redhat.com/errata/RHSA-2016-0599.html
Frequently Asked Questions
What is the severity of CVE-2016-2094?
CVE-2016-2094 has been classified as a medium severity vulnerability.
How do I fix CVE-2016-2094?
To fix CVE-2016-2094, update to the latest version of Red Hat JBoss Enterprise Application Platform that includes the necessary security patches.
What impact does CVE-2016-2094 have on JBoss?
CVE-2016-2094 can lead to a denial of service on JBoss by exhausting server threads through an attacker creating sockets without completing the SSL handshake.
Which versions of JBoss are affected by CVE-2016-2094?
CVE-2016-2094 specifically affects Red Hat JBoss Enterprise Application Platform version 6.4.6.
Is there a workaround for CVE-2016-2094?
There are no known workarounds for CVE-2016-2094, so applying the patch is the recommended solution.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-2094
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/jboss
- canonical/red hat jboss enterprise application platform
- version/red hat jboss enterprise application platform/6.4.6