Red Hat JBoss Narayana LRA Coordinator Component Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the LRA Coordinator component of Narayana. When a 'Cancel' request is initiated in a Long Running Action (LRA), it takes approximately 2 seconds to process. If a 'Join' request with the same LRA ID is sent within this 2-second window, it can cause the application to crash or hang indefinitely.

Impact

Exploitation of this vulnerability can lead to a deadlock, where multiple join requests cause the application to hang indefinitely, or a crash, where the application fails abruptly.

Reproduction

To reproduce this vulnerability, initiate a 'Cancel' request in an LRA. Within 2 seconds of this request, send a 'Join' request using the same LRA ID. This will cause the application to either crash or hang indefinitely.

Remediation

Users can upgrade to Red Hat JBoss Enterprise Application Platform 8.0.6 or JBoss EAP XP 5.0 Update 2.0, both of which include the necessary fix. Instructions for applying this update are available in the Red Hat JBoss Enterprise Application Platform 8.0 documentation.