{"containers": {"cna": {"affected": [{"product": "Undertow", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2"}]}], "descriptions": [{"lang": "en", "value": "When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:24:26", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.redhat.com/browse/UNDERTOW-2133"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-2053", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Undertow", "version": {"version_data": [{"version_value": "Fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0"}, {"name": "https://issues.redhat.com/browse/UNDERTOW-2133", "refsource": "MISC", "url": "https://issues.redhat.com/browse/UNDERTOW-2133"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:24:44.066Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.redhat.com/browse/UNDERTOW-2133"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-2053", "datePublished": "2022-08-05T15:24:27", "dateReserved": "2022-06-10T00:00:00", "dateUpdated": "2024-08-03T00:24:44.066Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "581C0C48-DDC2-4781-9032-C5A0C2544C74", "versionEndExcluding": "2.2.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.3.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "F6DD3DE4-9C5D-4768-9414-C63D1D172B7F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2."}, {"lang": "es", "value": "Cuando una petici\u00f3n POST llega a trav\u00e9s de AJP y la petici\u00f3n excede el l\u00edmite de tama\u00f1o m\u00e1ximo de post (maxEntitySize), la implementaci\u00f3n AjpServerRequestConduit de Undertow cierra una conexi\u00f3n sin enviar ninguna respuesta al cliente/proxy. Este comportamiento resulta en que un proxy del front-end marque al trabajador del backend (servidor de aplicaciones) como un estado de error y no reenv\u00ede peticiones al trabajador durante un tiempo. En mod_cluster, esto contin\u00faa hasta que la siguiente petici\u00f3n de STATUS (en intervalos de 10 segundos) del servidor de aplicaciones actualiza el estado del servidor. As\u00ed que, en el peor de los casos, puede resultar en \"Todos los trabajadores est\u00e1n en estado de error\" y mod_cluster responde \"503 Service Unavailable\" durante un tiempo (hasta 10 segundos). En mod_proxy_balancer, no reenv\u00eda las peticiones al trabajador hasta que pasa el tiempo de espera de \"reintento\". Sin embargo, por suerte, mod_proxy_balancer presenta el par\u00e1metro \"forcerecovery\" (habilitado por defecto; este par\u00e1metro puede forzar la recuperaci\u00f3n inmediata de todos los trabajadores sin tener en cuenta el par\u00e1metro retry de los trabajadores si todos los trabajadores de un balanceador est\u00e1n en estado de error). As\u00ed, a diferencia de mod_cluster, mod_proxy_balancer no resulta en la respuesta \"503 Service Unavailable\". Un atacante podr\u00eda usar este comportamiento para enviar una petici\u00f3n maliciosa y desencadenar errores en el servidor, resultando en DoS (denegaci\u00f3n de servicio). Este fallo fue corregido en Undertow versi\u00f3n 2.2.19.Final, Undertow versi\u00f3n 2.3.0.Alpha2"}], "id": "CVE-2022-2053", "lastModified": "2022-08-11T14:06:29.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-05T16:15:11.560", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://issues.redhat.com/browse/UNDERTOW-2133"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8652", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "low", "package": "undertow", "product_name": "Red Hat Fuse 7.11.1", "release_date": "2022-11-28T00:00:00Z"}, {"advisory": "RHSA-2022:6825", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6822", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.19-1.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-0:2.2.19-1.SP2_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:6821", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.19-1.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-10-05T00:00:00Z"}], "bugzilla": {"description": "undertow: Large AJP request may cause DoS", "id": "2095862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095862"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400->CWE-770", "details": ["When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.", "A flaw was found in Undertow. AJP requests to the server may allow an attacker to send a malicious request and trigger server errors, resulting in a denial of service."], "name": "CVE-2022-2053", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "impact": "low", "package_name": "undertow", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "impact": "low", "package_name": "undertow", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "impact": "low", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "undertow", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "impact": "low", "package_name": "undertow", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2022-06-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2053\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2053"], "statement": "Red Hat Fuse 7 is now in Maintenance Support Phase and is marked Fixed. However, Red Hat Fuse Online does not contain the fix for this flaw.", "threat_severity": "Moderate", "upstream_fix": "undertow 2.2.19.Final, undertow 2.3.0.Alpha2"}