CVE-2024-1635
Description
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available.
At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0.Final, < 2.3.12.Final | 2.3.12.Final |
io.undertow:undertow-coreMaven | < 2.2.31.Final | 2.2.31.Final |
Affected products
2Patches
Vulnerability mechanics
References
21- access.redhat.com/errata/RHSA-2024:1674nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1675nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1676nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1677nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1860nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1861nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1862nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1864nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:1866nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:3354nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2024:4884nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2025:4226nvdThird Party AdvisoryWEB
- access.redhat.com/security/cve/CVE-2024-1635nvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-w6qf-42m7-vh68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1635ghsaADVISORY
- security.netapp.com/advisory/ntap-20240322-0007/nvdVendor Advisory
- github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19ghsaWEB
- github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4deghsaWEB
- security.netapp.com/advisory/ntap-20240322-0007ghsaWEB
- access.redhat.com/errata/RHSA-2025:9583nvd
News mentions
0No linked articles in our index yet.