CVE-2024-1635

Name of the Vulnerable Software and Affected Versions Undertow (affected versions not specified)

Description A vulnerability was found in Undertow that impacts servers supporting the wildfly-http-client protocol. When a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. This is because the remoting connection originates in Undertow as part of the HTTP upgrade and is unaware of the outermost layer when closing the connection during the connection opening procedure, resulting in the WriteTimeoutStreamSinkConduit not being notified of the closed connection. The WriteTimeoutStreamSinkConduit creates a timeout task that is added to XNIO WorkerThread, causing the whole dependency tree to leak via that task.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.