VYPR
← All advisories
High severityOSV Advisory· Published Sep 14, 2023· Updated Aug 2, 2024

Undertow: infinite loop in sslconduit during close

CVE-2023-1108

Description

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Undertow's SslConduit has an infinite loop bug in TLS handshake handling, allowing remote attackers to cause denial of service.

The vulnerability exists in Undertow's SslConduit class, where an unexpected handshake status update causes the loop to never terminate, leading to a denial of service [1][2][3][4].

An attacker can exploit this by sending a specially crafted TLS handshake that triggers the infinite loop in the SSL/TLS processing. No authentication is required, and the attack can be performed remotely [4].

Successful exploitation results in a denial of service condition, consuming CPU resources indefinitely, making the server unresponsive [4].

Red Hat has released security updates for Red Hat JBoss Enterprise Application Platform (EAP) to address this issue. Affected users should apply the patches as referenced in the errata [1][2][3].

References
  1. https://access.redhat.com/errata/RHSA-2023:1512
  2. https://access.redhat.com/errata/RHSA-2023:1513
  3. https://access.redhat.com/errata/RHSA-2023:1514
  4. cve-details

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
>= 2.3.0, < 2.3.5.Final2.3.5.Final
io.undertow:undertow-coreMaven
< 2.2.24.Final2.2.24.Final

Affected products

2

Patches

3
1b763064a41a

Merge pull request #1453 from fl4via/UNDERTOW-2239

https://github.com/undertow-io/undertowFlavia RainoneMar 25, 2023via ghsa
commit
1 file changed · +2 1
  • core/src/main/java/io/undertow/protocols/ssl/SslConduit.java+2 1 modified
    @@ -1004,7 +1004,8 @@ private synchronized long doWrap(ByteBuffer[] userBuffers, int off, int len) thr
 
     private SSLEngineResult wrapAndFlip(ByteBuffer[] userBuffers, int off, int len) throws IOException {
         SSLEngineResult result = null;
-        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
+        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP
+                && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
             if (userBuffers == null) {
                 result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
             } else {
1302c8cf4476

[UNDERTOW-2239] CVE-2023-1108 At SslConduit.wrapAndFlip, do not attempt to wrap if engine.isInboundDone()

https://github.com/undertow-io/undertowFlavia RainoneFeb 28, 2023via ghsa
commit
1 file changed · +2 1
  • core/src/main/java/io/undertow/protocols/ssl/SslConduit.java+2 1 modified
    @@ -999,7 +999,8 @@ private synchronized long doWrap(ByteBuffer[] userBuffers, int off, int len) thr
 
     private SSLEngineResult wrapAndFlip(ByteBuffer[] userBuffers, int off, int len) throws IOException {
         SSLEngineResult result = null;
-        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
+        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP
+                && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
             if (userBuffers == null) {
                 result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
             } else {
ccc053b55f5d

[UNDERTOW-2239] CVE-2023-1108 At SslConduit.wrapAndFlip, do not attempt to wrap if engine.isInboundDone()

https://github.com/undertow-io/undertowFlavia RainoneFeb 28, 2023via ghsa
commit
1 file changed · +2 1
  • core/src/main/java/io/undertow/protocols/ssl/SslConduit.java+2 1 modified
    @@ -1004,7 +1004,8 @@ private synchronized long doWrap(ByteBuffer[] userBuffers, int off, int len) thr
 
     private SSLEngineResult wrapAndFlip(ByteBuffer[] userBuffers, int off, int len) throws IOException {
         SSLEngineResult result = null;
-        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
+        while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP
+                && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
             if (userBuffers == null) {
                 result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
             } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

24

News mentions

0

No linked articles in our index yet.