First published: Tue Feb 28 2023(Updated: )
<a href="https://issues.redhat.com/browse/UNDERTOW-2239">https://issues.redhat.com/browse/UNDERTOW-2239</a> A denial-of-service vulnerability found in Undertow : Latest JDKs from the January 18th release (jdk 11.0.18, and may be jdk 17.0.6) include this change: <a href="https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737">https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737</a> Which is suspected to be the cause of an infinite loop in SslConduit here: <a href="https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004">https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004</a> Where there is HandshakeStatus.NEED_WRAP but the status is updated to Status.CLOSED (new in this JDK release) so the loop never terminates.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el8ea | 0:2.2.22-1.SP3_redhat_00002.1.el8ea |
redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el8ea | 0:7.4.9-6.GA_redhat_00004.1.el8ea |
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el8ea | 0:2.2.23-1.SP2_redhat_00001.1.el8ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el8ea | 0:2.0.14-1.Final_redhat_00001.1.el8ea |
redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el9ea | 0:2.2.22-1.SP3_redhat_00002.1.el9ea |
redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el9ea | 0:7.4.9-6.GA_redhat_00004.1.el9ea |
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el9ea | 0:2.2.23-1.SP2_redhat_00001.1.el9ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el9ea | 0:2.0.14-1.Final_redhat_00001.1.el9ea |
redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el7ea | 0:2.2.22-1.SP3_redhat_00002.1.el7ea |
redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el7ea | 0:7.4.9-6.GA_redhat_00004.1.el7ea |
redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el7ea | 0:2.2.23-1.SP2_redhat_00001.1.el7ea |
redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el7ea | 0:2.0.14-1.Final_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el7 | 0:18.0.8-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el8 | 0:18.0.8-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el9 | 0:18.0.8-1.redhat_00001.1.el9 |
maven/io.undertow:undertow-core | <2.2.24.Final | 2.2.24.Final |
maven/io.undertow:undertow-core | >=2.3.0<2.3.5.Final | 2.3.5.Final |
Redhat Build Of Quarkus | ||
Redhat Decision Manager | =7.0 | |
Redhat Fuse | =1.0.0 | |
Redhat Integration Camel K | ||
Redhat Integration Service Registry | ||
Redhat Jboss Enterprise Application Platform | ||
Redhat Jboss Enterprise Application Platform Expansion Pack | ||
Redhat Openshift Application Runtimes | ||
Redhat Openstack Platform | =13.0 | |
Redhat Process Automation | =7.0 | |
Redhat Single Sign-on | ||
Redhat Undertow | <2.2.24 | |
Redhat Undertow | >=2.3.0<2.3.5 | |
Redhat Openshift Container Platform | =4.11 | |
Redhat Openshift Container Platform | =4.12 | |
Redhat Openshift Container Platform For Linuxone | =4.9 | |
Redhat Openshift Container Platform For Linuxone | =4.10 | |
Redhat Openshift Container Platform For Power | =4.9 | |
Redhat Openshift Container Platform For Power | =4.10 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Jboss Enterprise Application Platform | =7.4 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Single Sign-on | =7.6 | |
IBM Watson Knowledge Catalog on-prem | <=4.x | |
NetApp OnCommand Workflow Automation | ||
redhat/undertow | <2.3.5. | 2.3.5. |
redhat/undertow | <2.2.24. | 2.2.24. |
All of | ||
Any of | ||
Redhat Openshift Container Platform | =4.11 | |
Redhat Openshift Container Platform | =4.12 | |
Redhat Openshift Container Platform For Linuxone | =4.9 | |
Redhat Openshift Container Platform For Linuxone | =4.10 | |
Redhat Openshift Container Platform For Power | =4.9 | |
Redhat Openshift Container Platform For Power | =4.10 | |
Redhat Enterprise Linux | =8.0 | |
All of | ||
Redhat Jboss Enterprise Application Platform | =7.4 | |
Any of | ||
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
All of | ||
Redhat Single Sign-on | =7.6 | |
Any of | ||
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this flaw is CVE-2023-1108.
The severity of CVE-2023-1108 is high.
The affected software for CVE-2023-1108 is Undertow.
To fix CVE-2023-1108, update Undertow to version 2.2.24 or 2.3.5.
You can find more information about CVE-2023-1108 at the following references: [Reference 1](https://access.redhat.com/errata/RHSA-2023:1184), [Reference 2](https://access.redhat.com/errata/RHSA-2023:1185), [Reference 3](https://access.redhat.com/errata/RHSA-2023:1512)