CVE-2024-1635: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-1635) was discovered in Undertow that affects servers supporting the wildfly-http-client protocol. The vulnerability was disclosed on February 19, 2024, and has been assigned a CVSS v3.1 base score of 7.5 (HIGH). The vulnerability impacts servers that support the wildfly-http-client protocol and affects various versions of Red Hat JBoss Enterprise Application Platform and Red Hat Single Sign-On (NVD, Red Hat Security).

The vulnerability occurs at HTTP upgrade to remoting, where the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection that is unaware of the outermost layer when closing the connection during the connection opening procedure. As a result, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection, and because it creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread (Red Hat Bugzilla).

When successfully exploited, this vulnerability can lead to both memory and open file limits being exhausted on the server, resulting in a Denial of Service (DoS) condition. The severity of the impact depends on the amount of memory available on the affected system (NetApp Security).

The vulnerability has been fixed in Undertow versions 2.3.10.SP3 and 2.2.30.SP1. Red Hat has released security updates for affected products including JBoss Enterprise Application Platform 7.4 and Red Hat Single Sign-On 7.6.8. Users are advised to upgrade to the fixed versions (Red Hat Security).