OpenCVE

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Oncommand Workflow Automation
Redhat	Build Of Quarkus Camel Quarkus Decision Manager Enterprise Linux Fuse Integration Integration Camel K Integration Service Registry Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Openshift Application Runtimes Openshift Container Platform Openshift Container Platform For Linuxone Openshift Container Platform For Power Openstack Openstack Platform Process Automation Quarkus Red Hat Single Sign On Rhosemc Service Registry Single Sign-on Undertow

Configuration 1 [-]

OR	cpe:2.3:a:redhat:build_of_quarkus:-:::::::*
	cpe:2.3:a:redhat:decision_manager:7.0:::::::*
	cpe:2.3:a:redhat:fuse:1.0.0:::::::*
	cpe:2.3:a:redhat:integration_camel_k:-:::::::*
	cpe:2.3:a:redhat:integration_service_registry:-:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:::::::*
	cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::
	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:process_automation:7.0:::::::*
	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
	cpe:2.3:a:redhat:undertow::::::::
	cpe:2.3:a:redhat:undertow::::::::

Configuration 2 [-]

AND

OR	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 4 [-]

AND

cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 5 [-]

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
EAP 7.4.10 release
	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:1516	2023-03-29T00:00:00Z
Red Hat Fuse 7.12
undertow	cpe:/a:redhat:jboss_fuse:7	RHSA-2023:3954	2023-06-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
undertow	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:1184	2023-03-09T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-undertow-0:2.2.22-1.SP3_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-wildfly-0:7.4.9-6.GA_redhat_00004.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:1513	2023-03-29T00:00:00Z
eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:1513	2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-undertow-0:2.2.22-1.SP3_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-wildfly-0:7.4.9-6.GA_redhat_00004.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:1514	2023-03-29T00:00:00Z
eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:1514	2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-undertow-0:2.2.22-1.SP3_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-wildfly-0:7.4.9-6.GA_redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:1185	2023-03-09T00:00:00Z
eap7-undertow-0:2.2.23-1.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:1512	2023-03-29T00:00:00Z
eap7-undertow-jastow-0:2.0.14-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:1512	2023-03-29T00:00:00Z
Red Hat Single Sign-On 7
undertow	cpe:/a:redhat:red_hat_single_sign_on:7.6.4	RHSA-2023:3892	2023-06-27T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:3883	2023-06-27T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:3884	2023-06-27T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:3885	2023-06-27T00:00:00Z
Red Hat support for Spring Boot 2.7.13
undertow	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2023:4612	2023-08-16T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-24	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:3888	2023-06-27T00:00:00Z
RHPAM 7.13.1 async
undertow	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:2135	2023-05-04T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:1184
https://access.redhat.com/errata/RHSA-2023:1185
https://access.redhat.com/errata/RHSA-2023:1512
https://access.redhat.com/errata/RHSA-2023:1513
https://access.redhat.com/errata/RHSA-2023:1514
https://access.redhat.com/errata/RHSA-2023:1516
https://access.redhat.com/errata/RHSA-2023:2135
https://access.redhat.com/errata/RHSA-2023:3883
https://access.redhat.com/errata/RHSA-2023:3884
https://access.redhat.com/errata/RHSA-2023:3885
https://access.redhat.com/errata/RHSA-2023:3888
https://access.redhat.com/errata/RHSA-2023:3892
https://access.redhat.com/errata/RHSA-2023:3954
https://access.redhat.com/errata/RHSA-2023:4612
https://access.redhat.com/security/cve/CVE-2023-1108
https://bugzilla.redhat.com/show_bug.cgi?id=2174246
https://github.com/advisories/GHSA-m4mm-pg93-fv78
https://nvd.nist.gov/vuln/detail/CVE-2023-1108
https://security.netapp.com/advisory/ntap-20231020-0002/
https://www.cve.org/CVERecord?id=CVE-2023-1108

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-14T14:48:58.869Z

Updated: 2024-08-02T05:32:46.370Z

Reserved: 2023-03-01T00:27:23.587Z

Link: CVE-2023-1108

Vulnrichment

Updated: 2024-08-02T05:32:46.370Z

NVD

Status : Modified

Published: 2023-09-14T15:15:08.293

Modified: 2024-05-03T16:15:10.140

Link: CVE-2023-1108

Redhat

Severity : Important

Publid Date: 2023-03-07T00:00:00Z

Links: CVE-2023-1108 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object