CVE-2020-25644 - Vulnerability Details

- wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL

Description

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.

Published: 2020-10-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

wildfly-openssl

affected

Version	Status	Constraints
`before wildfly-openssl 1.1.3.Final`	affected	—

Configuration 1 [-]

cpe:2.3:a:redhat:wildfly_openssl:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:data_grid:8.0:::::::*
	cpe:2.3:a:redhat:jboss_data_grid:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_fuse:7.0.0:::::::*
	cpe:2.3:a:redhat:openshift_application_runtimes:-:::::::*
	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:service_level_manager:-:::::::*

Package	CPE	Advisory	Released Date
EAP 7.3.3
wildfly-openssl-natives-parent	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2020:4923	2020-11-04T00:00:00Z
Red Hat Data Grid 7.3.8
wildfly-openssl	cpe:/a:redhat:jboss_data_grid:7.3	RHSA-2020:5410	2020-12-14T00:00:00Z
Red Hat Data Grid 8.1.1
wildfly-openssl	cpe:/a:redhat:jboss_data_grid:8	RHSA-2021:0433	2021-02-08T00:00:00Z
Red Hat Fuse 7.9
wildfly-openssl	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:3140	2021-08-11T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
wildfly-openssl-natives-parent	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2020:4257	2020-10-14T00:00:00Z
	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2020:5344	2020-12-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:9582	2025-06-25T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-wildfly-openssl-linux-x86_64-0:1.0.11-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:4256	2020-10-14T00:00:00Z
eap7-wildfly-openssl-linux-x86_64-0:1.0.12-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:4922	2020-11-04T00:00:00Z
eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jasypt-0:1.9.3-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2020:5340	2020-12-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-wildfly-openssl-linux-x86_64-0:1.0.11-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:4256	2020-10-14T00:00:00Z
eap7-wildfly-openssl-linux-x86_64-0:1.0.12-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:4922	2020-11-04T00:00:00Z
eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jasypt-0:1.9.3-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2020:5341	2020-12-03T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-wildfly-openssl-linux-x86_64-0:1.0.11-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:4256	2020-10-14T00:00:00Z
eap7-wildfly-openssl-linux-x86_64-0:1.0.12-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:4922	2020-11-04T00:00:00Z
eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jasypt-0:1.9.3-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2020:5342	2020-12-03T00:00:00Z
Red Hat Single Sign-On 7.4.3 one-off
wildfly-openssl	cpe:/a:redhat:jboss_single_sign_on:7.4	RHSA-2020:4978	2020-11-09T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hxj4-885f-grgp	Wildfly-OpenSSL memory leak flaw

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00465.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1885485
https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files
https://issues.redhat.com/browse/WFSSL-51
https://nvd.nist.gov/vuln/detail/CVE-2020-25644
https://security.netapp.com/advisory/ntap-20201016-0004/
https://www.cve.org/CVERecord?id=CVE-2020-25644

History

Wed, 25 Jun 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

Subscriptions

Netapp Oncommand Insight Oncommand Workflow Automation Service Level Manager

Redhat Data Grid Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Fuse Jboss Single Sign On Openshift Application Runtimes Single Sign-on Wildfly Openssl

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-10-06T00:00:00.000Z

Updated: 2024-08-04T15:40:36.576Z

Reserved: 2020-09-16T00:00:00.000Z

Link: CVE-2020-25644

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-06T14:15:12.760

Modified: 2024-11-21T05:18:19.370

Link: CVE-2020-25644

Redhat

Severity : Important

Publid Date: 2020-09-22T00:00:00Z

Links: CVE-2020-25644 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-401

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object