Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-1635

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

Published

2024-02-19T22:15:48.647

Last Modified

2025-06-25T01:15:22.900

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	redhat	fuse	1.0	Yes
Application	redhat	integration_camel_for_spring_boot	-	Yes
Application	redhat	jboss_enterprise_application_platform	7.4	Yes
Application	redhat	openshift_container_platform	4.11	Yes
Application	redhat	openshift_container_platform	4.12	Yes
Application	redhat	openshift_container_platform_for_linuxone	4.9	Yes
Application	redhat	openshift_container_platform_for_linuxone	4.10	Yes
Application	redhat	openshift_container_platform_for_power	4.9	Yes
Application	redhat	openshift_container_platform_for_power	4.10	Yes
Application	redhat	single_sign-on	-	Yes
Application	redhat	single_sign-on	7.6	Yes

References

https://access.redhat.com/errata/RHSA-2024:1674 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1675 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1676 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1677 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1860 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1861 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1862 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1864 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1866 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:3354 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:4884 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2025:4226 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2025:9583 ([email protected])
https://access.redhat.com/security/cve/CVE-2024-1635 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2264928 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2024:1674 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1675 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1676 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1677 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1860 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1861 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1862 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1864 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2024:1866 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/security/cve/CVE-2024-1635 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2264928 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240322-0007/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)