Undertow HTTP/2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Undertow, where malformed client requests can cause server-side stream resets without activating abuse counters. This issue, known as the 'MadeYouReset' attack, allows malicious clients to create excessive server workload by repeatedly aborting server-side streams. Although this is not a protocol flaw, it exposes a common implementation vulnerability that can be exploited to disrupt service availability.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the server's CPU and memory resources are consumed by processing stream resets. These resets can be generated at scale over a single TCP/TLS connection, quickly exhausting server capacity and affecting all legitimate clients.

Reproduction

The vulnerability can be reproduced by sending malformed HTTP/2 requests that trigger stream resets on the server. This can be done using a tool or script that manipulates HTTP/2 control frames to create the 'MadeYouReset' attack effect.