Undertow Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Undertow, affecting versions prior to 2.2.15. The issue arises when certain calls are made over HTTP/2, causing the client-side invocation timeout to be triggered. This flaw can be exploited by an attacker to disrupt service availability.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing application responses to be delayed or dropped, which can disrupt normal user activities or automated processes.

Reproduction

The vulnerability can be reproduced by sending HTTP/2 requests that include a large number of headers or substantial data payloads. This can be done using a client that supports HTTP/2, such as curl or a custom application, configured to send requests over HTTP/2 with the specified header and data sizes. The Undertow server must be running in an environment where this vulnerability is present, such as in certain NetApp products or older versions of the Red Hat JBoss Enterprise Application Platform.

Remediation

Users can upgrade to Undertow version 2.2.15 or later to address this vulnerability. Red Hat JBoss Enterprise Application Platform users can refer to the product's errata notifications for upgrade instructions.