CVE-2023-1108: Undertow: infinite loop in sslconduit during close
First published: Tue Feb 28 2023(Updated: )
<a href="https://issues.redhat.com/browse/UNDERTOW-2239">https://issues.redhat.com/browse/UNDERTOW-2239</a> A denial-of-service vulnerability found in Undertow : Latest JDKs from the January 18th release (jdk 11.0.18, and may be jdk 17.0.6) include this change: <a href="https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737">https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737</a> Which is suspected to be the cause of an infinite loop in SslConduit here: <a href="https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004">https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004</a> Where there is HandshakeStatus.NEED_WRAP but the status is updated to Status.CLOSED (new in this JDK release) so the loop never terminates.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el8ea | 0:2.2.22-1.SP3_redhat_00002.1.el8ea |
| redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el8ea | 0:7.4.9-6.GA_redhat_00004.1.el8ea |
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el8ea | 0:2.2.23-1.SP2_redhat_00001.1.el8ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el8ea | 0:2.0.14-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el9ea | 0:2.2.22-1.SP3_redhat_00002.1.el9ea |
| redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el9ea | 0:7.4.9-6.GA_redhat_00004.1.el9ea |
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el9ea | 0:2.2.23-1.SP2_redhat_00001.1.el9ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el9ea | 0:2.0.14-1.Final_redhat_00001.1.el9ea |
| redhat/eap7-undertow | <0:2.2.22-1.SP3_redhat_00002.1.el7ea | 0:2.2.22-1.SP3_redhat_00002.1.el7ea |
| redhat/eap7-wildfly | <0:7.4.9-6.GA_redhat_00004.1.el7ea | 0:7.4.9-6.GA_redhat_00004.1.el7ea |
| redhat/eap7-undertow | <0:2.2.23-1.SP2_redhat_00001.1.el7ea | 0:2.2.23-1.SP2_redhat_00001.1.el7ea |
| redhat/eap7-undertow-jastow | <0:2.0.14-1.Final_redhat_00001.1.el7ea | 0:2.0.14-1.Final_redhat_00001.1.el7ea |
| redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el7 | 0:18.0.8-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el8 | 0:18.0.8-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.8-1.redhat_00001.1.el9 | 0:18.0.8-1.redhat_00001.1.el9 |
| maven/io.undertow:undertow-core | <2.2.24.Final | 2.2.24.Final |
| maven/io.undertow:undertow-core | >=2.3.0<2.3.5.Final | 2.3.5.Final |
| Redhat Build Of Quarkus | ||
| Redhat Decision Manager | =7.0 | |
| Redhat Fuse | =1.0.0 | |
| Redhat Integration Camel K | ||
| Redhat Integration Service Registry | ||
| Redhat Jboss Enterprise Application Platform | ||
| Redhat Jboss Enterprise Application Platform Expansion Pack | ||
| Redhat Openshift Application Runtimes | ||
| Redhat Openstack Platform | =13.0 | |
| Redhat Process Automation | =7.0 | |
| Redhat Single Sign-on | ||
| Redhat Undertow | <2.2.24 | |
| Redhat Undertow | >=2.3.0<2.3.5 | |
| Redhat Openshift Container Platform | =4.11 | |
| Redhat Openshift Container Platform | =4.12 | |
| Redhat Openshift Container Platform For Linuxone | =4.9 | |
| Redhat Openshift Container Platform For Linuxone | =4.10 | |
| Redhat Openshift Container Platform For Power | =4.9 | |
| Redhat Openshift Container Platform For Power | =4.10 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Jboss Enterprise Application Platform | =7.4 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =9.0 | |
| Redhat Single Sign-on | =7.6 | |
| IBM Watson Knowledge Catalog on-prem | <=4.x | |
| NetApp OnCommand Workflow Automation | ||
| redhat/undertow | <2.3.5. | 2.3.5. |
| redhat/undertow | <2.2.24. | 2.2.24. |
| All of | ||
| Any of | ||
| Redhat Openshift Container Platform | =4.11 | |
| Redhat Openshift Container Platform | =4.12 | |
| Redhat Openshift Container Platform For Linuxone | =4.9 | |
| Redhat Openshift Container Platform For Linuxone | =4.10 | |
| Redhat Openshift Container Platform For Power | =4.9 | |
| Redhat Openshift Container Platform For Power | =4.10 | |
| Redhat Enterprise Linux | =8.0 | |
| All of | ||
| Redhat Jboss Enterprise Application Platform | =7.4 | |
| Any of | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| All of | ||
| Redhat Single Sign-on | =7.6 | |
| Any of | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-1108 https://nvd.nist.gov/vuln/detail/CVE-2023-1108
- https://bugzilla.redhat.com/show_bug.cgi?id=2174246
- https://access.redhat.com/errata/RHSA-2023:1184
- https://access.redhat.com/errata/RHSA-2023:1516
- https://access.redhat.com/errata/RHSA-2023:1185
- https://access.redhat.com/errata/RHSA-2023:1513
- https://access.redhat.com/errata/RHSA-2023:1514
- https://access.redhat.com/errata/RHSA-2023:1512
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/errata/RHSA-2023:3883
- https://access.redhat.com/errata/RHSA-2023:3884
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:4612
- https://access.redhat.com/security/cve/cve-2023-1108
- https://access.redhat.com/security/cve/CVE-2023-1108
- https://security.netapp.com/advisory/ntap-20231020-0002/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/249912
- https://www.ibm.com/support/pages/node/7009747 (Advisory)
- https://issues.redhat.com/browse/UNDERTOW-2239
- https://github.com/openjdk/jdk11u/commit/243a55ef31e9584467482c6159501b5d522a9427#diff-fd78e578d9d538ff23130422a81e277b5482ac752dc158b6dc07737a9c4c3f4bR737-L737
- https://github.com/undertow-io/undertow/blob/d508c1328ba5c1ca228bfcc405f2c6b9321a1139/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java#L1002-L1004
- https://access.redhat.com/errata/RHSA-2023:2135
- https://github.com/advisories/GHSA-m4mm-pg93-fv78 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2023-1108
- https://github.com/undertow-io/undertow/commit/1b763064a41a30583b5df9a118898513007a70be
- https://github.com/undertow-io/undertow/commit/ccc053b55f5de9872bc1a4999fd6aa85fc5e146d
- https://github.com/undertow-io/undertow/pull/1457
- https://github.com/undertow-io/undertow/commit/1302c8cf4476936802504efe0d36c58dcd954f78
- https://security.netapp.com/advisory/ntap-20231020-0002
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2023-1108.
What is the severity of CVE-2023-1108?
The severity of CVE-2023-1108 is high.
What is the affected software for CVE-2023-1108?
The affected software for CVE-2023-1108 is Undertow.
How do I fix CVE-2023-1108?
To fix CVE-2023-1108, update Undertow to version 2.2.24 or 2.3.5.
Where can I find more information about CVE-2023-1108?
You can find more information about CVE-2023-1108 at the following references: [Reference 1](https://access.redhat.com/errata/RHSA-2023:1184), [Reference 2](https://access.redhat.com/errata/RHSA-2023:1185), [Reference 3](https://access.redhat.com/errata/RHSA-2023:1512)
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-1108
- agent/software-canonical-lookup
- agent/title
- agent/event
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m4mm-pg93-fv78
- agent/references
- agent/tags
- collector/nvd-cve
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/redhat
- canonical/redhat build of quarkus
- canonical/redhat decision manager
- version/redhat decision manager/7.0
- canonical/redhat fuse
- version/redhat fuse/1.0.0
- canonical/redhat integration camel k
- canonical/redhat integration service registry
- canonical/redhat jboss enterprise application platform
- canonical/redhat jboss enterprise application platform expansion pack
- canonical/redhat openshift application runtimes
- canonical/redhat openstack platform
- version/redhat openstack platform/13.0
- canonical/redhat process automation
- version/redhat process automation/7.0
- canonical/redhat single sign-on
- canonical/redhat undertow
- version/redhat undertow/2.3.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.11
- version/redhat openshift container platform/4.12
- canonical/redhat openshift container platform for linuxone
- version/redhat openshift container platform for linuxone/4.9
- version/redhat openshift container platform for linuxone/4.10
- canonical/redhat openshift container platform for power
- version/redhat openshift container platform for power/4.9
- version/redhat openshift container platform for power/4.10
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat jboss enterprise application platform/7.4
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/9.0
- version/redhat single sign-on/7.6
- vendor/netapp
- canonical/netapp oncommand workflow automation
- package-manager/maven
- vendor/ibm
- canonical/ibm watson knowledge catalog on-prem
- version/ibm watson knowledge catalog on-prem/4.x