Vulnerability-Lookup

CVE-2016-9589 (GCVE-0-2016-9589)

Vulnerability from cvelistv5 – Published: 2018-03-12 15:00 – Updated: 2024-08-06 02:59

Summary

Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.

Severity ?

No CVSS data available.

CWE

CWE-400

Assigner

redhat

References

URL

Tags

	http://rhn.redhat.com/errata/RHSA-2017-0831.html	vendor-advisoryx_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2017-0876.html	vendor-advisoryx_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2017-0834.html	vendor-advisoryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=1404782	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:3458	vendor-advisoryx_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2017-0832.html	vendor-advisoryx_refsource_REDHAT
	http://www.securityfocus.com/bid/97060	vdb-entryx_refsource_BID
	https://access.redhat.com/errata/RHSA-2017:3455	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:3456	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:0873	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:3454	vendor-advisoryx_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2017-0830.html	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:0872	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Red Hat, Inc.	wildfly	Affected: 11.0.0.Beta1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:59:02.944Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2017:0831",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
          },
          {
            "name": "RHSA-2017:0876",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
          },
          {
            "name": "RHSA-2017:0834",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
          },
          {
            "name": "RHSA-2017:3458",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3458"
          },
          {
            "name": "RHSA-2017:0832",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
          },
          {
            "name": "97060",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97060"
          },
          {
            "name": "RHSA-2017:3455",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3455"
          },
          {
            "name": "RHSA-2017:3456",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3456"
          },
          {
            "name": "RHSA-2017:0873",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:0873"
          },
          {
            "name": "RHSA-2017:3454",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3454"
          },
          {
            "name": "RHSA-2017:0830",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
          },
          {
            "name": "RHSA-2017:0872",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:0872"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly",
          "vendor": "Red Hat, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "11.0.0.Beta1"
            }
          ]
        }
      ],
      "datePublic": "2017-03-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-13T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2017:0831",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
        },
        {
          "name": "RHSA-2017:0876",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
        },
        {
          "name": "RHSA-2017:0834",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
        },
        {
          "name": "RHSA-2017:3458",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3458"
        },
        {
          "name": "RHSA-2017:0832",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
        },
        {
          "name": "97060",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97060"
        },
        {
          "name": "RHSA-2017:3455",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3455"
        },
        {
          "name": "RHSA-2017:3456",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3456"
        },
        {
          "name": "RHSA-2017:0873",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:0873"
        },
        {
          "name": "RHSA-2017:3454",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3454"
        },
        {
          "name": "RHSA-2017:0830",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
        },
        {
          "name": "RHSA-2017:0872",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:0872"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-9589",
    "datePublished": "2018-03-12T15:00:00.000Z",
    "dateReserved": "2016-11-23T00:00:00.000Z",
    "dateUpdated": "2024-08-06T02:59:02.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CNVD-2017-05279

Vulnerability from cnvd - Published: 2017-04-25

Title

Redhat Wildfly拒绝服务漏洞

Description

Red Hat Wildfly（前称JBoss Application Server）是美国红帽（Red Hat）公司的一款基于JavaEE的开源应用服务器。 Redhat Wildfly存在拒绝服务漏洞。攻击者可利用该漏洞造成拒绝服务。

Severity

中

Patch Name

Redhat Wildfly拒绝服务漏洞的补丁

Patch Description

Red Hat Wildfly（前称JBoss Application Server）是美国红帽（Red Hat）公司的一款基于JavaEE的开源应用服务器。 Redhat Wildfly存在拒绝服务漏洞。攻击者可利用该漏洞造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://bugzilla.redhat.com/show_bug.cgi?id=1404782

Reference

http://www.securityfocus.com/bid/97060

Impacted products

Name
Red Hat Wildfly

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "97060"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9589",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9589"
    }
  },
  "description": "Red Hat Wildfly\uff08\u524d\u79f0JBoss Application Server\uff09\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8eJavaEE\u7684\u5f00\u6e90\u5e94\u7528\u670d\u52a1\u5668\u3002\r\n\r\nRedhat Wildfly\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Gabriel Lavoie (Halogen Software)",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1404782",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-05279",
  "openTime": "2017-04-25",
  "patchDescription": "Red Hat Wildfly\uff08\u524d\u79f0JBoss Application Server\uff09\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8eJavaEE\u7684\u5f00\u6e90\u5e94\u7528\u670d\u52a1\u5668\u3002\r\n\r\nRedhat Wildfly\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Redhat Wildfly\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Red Hat Wildfly"
  },
  "referenceLink": "http://www.securityfocus.com/bid/97060",
  "serverity": "\u4e2d",
  "submitTime": "2017-03-28",
  "title": "Redhat Wildfly\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

GSD-2016-9589

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-9589

Aliases

CVE-2016-9589

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-9589",
    "description": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection.",
    "id": "GSD-2016-9589",
    "references": [
      "https://access.redhat.com/errata/RHSA-2017:3458",
      "https://access.redhat.com/errata/RHSA-2017:3456",
      "https://access.redhat.com/errata/RHSA-2017:3455",
      "https://access.redhat.com/errata/RHSA-2017:3454",
      "https://access.redhat.com/errata/RHSA-2017:0876",
      "https://access.redhat.com/errata/RHSA-2017:0873",
      "https://access.redhat.com/errata/RHSA-2017:0872",
      "https://access.redhat.com/errata/RHSA-2017:0834",
      "https://access.redhat.com/errata/RHSA-2017:0832",
      "https://access.redhat.com/errata/RHSA-2017:0831",
      "https://access.redhat.com/errata/RHSA-2017:0830"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-9589"
      ],
      "details": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection.",
      "id": "GSD-2016-9589",
      "modified": "2023-12-13T01:21:21.283140Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2016-9589",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wildfly",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "11.0.0.Beta1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Red Hat, Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:3454",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:3454"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:3455",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:3455"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:3456",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:3456"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:3458",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:3458"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2017-0830.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2017-0831.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2017-0832.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2017-0834.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2017-0876.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
          },
          {
            "name": "http://www.securityfocus.com/bid/97060",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/97060"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:0872",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:0872"
          },
          {
            "name": "https://access.redhat.com/errata/RHSA-2017:0873",
            "refsource": "MISC",
            "url": "https://access.redhat.com/errata/RHSA-2017:0873"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,11.0.0.Beta1)",
          "affected_versions": "All versions before 11.0.0.beta1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2023-07-28",
          "description": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection.",
          "fixed_versions": [
            "11.0.0.Beta1"
          ],
          "identifier": "CVE-2016-9589",
          "identifiers": [
            "GHSA-p4xg-cpr9-vwvj",
            "CVE-2016-9589"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.wildfly/wildfly-parent",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to version 11.0.0.Beta1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2016-9589",
            "https://access.redhat.com/errata/RHSA-2017:0872",
            "https://access.redhat.com/errata/RHSA-2017:0873",
            "https://access.redhat.com/errata/RHSA-2017:3454",
            "https://access.redhat.com/errata/RHSA-2017:3455",
            "https://access.redhat.com/errata/RHSA-2017:3456",
            "https://access.redhat.com/errata/RHSA-2017:3458",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1404782",
            "http://rhn.redhat.com/errata/RHSA-2017-0830.html",
            "http://rhn.redhat.com/errata/RHSA-2017-0831.html",
            "http://rhn.redhat.com/errata/RHSA-2017-0832.html",
            "http://rhn.redhat.com/errata/RHSA-2017-0834.html",
            "http://rhn.redhat.com/errata/RHSA-2017-0876.html",
            "http://www.securityfocus.com/bid/97060",
            "https://github.com/advisories/GHSA-p4xg-cpr9-vwvj"
          ],
          "uuid": "d0ad6afa-39ec-4620-a5ff-be7ee9f618d9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_wildfly_application_server:11.0.0:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_wildfly_application_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "10.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-9589"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
            },
            {
              "name": "RHSA-2017:3458",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3458"
            },
            {
              "name": "RHSA-2017:3456",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3456"
            },
            {
              "name": "RHSA-2017:3455",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3455"
            },
            {
              "name": "RHSA-2017:3454",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3454"
            },
            {
              "name": "RHSA-2017:0873",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:0873"
            },
            {
              "name": "RHSA-2017:0872",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:0872"
            },
            {
              "name": "97060",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97060"
            },
            {
              "name": "RHSA-2017:0876",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
            },
            {
              "name": "RHSA-2017:0834",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
            },
            {
              "name": "RHSA-2017:0832",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
            },
            {
              "name": "RHSA-2017:0831",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
            },
            {
              "name": "RHSA-2017:0830",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:20Z",
      "publishedDate": "2018-03-12T15:29Z"
    }
  }
}

GHSA-P4XG-CPR9-VWVJ

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-11-02 16:05

Summary

Red Hat Wildfly DoS

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.wildfly:wildfly-undertow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0.Beta1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-9589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-28T21:38:39Z",
    "nvd_published_at": "2018-03-12T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection.",
  "id": "GHSA-p4xg-cpr9-vwvj",
  "modified": "2023-11-02T16:05:42Z",
  "published": "2022-05-13T01:38:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9589"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0872"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0873"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3454"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3455"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3456"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3458"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wildfly/wildfly"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227180917/https://www.securityfocus.com/bid/97060"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Red Hat Wildfly DoS"
}

FKIE_CVE-2016-9589

Vulnerability from fkie_nvd - Published: 2018-03-12 15:29 - Updated: 2024-11-21 03:01

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-0830.html	Vendor Advisory
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-0831.html	Vendor Advisory
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-0832.html	Vendor Advisory
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-0834.html	Vendor Advisory
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2017-0876.html	Vendor Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/97060	Third Party Advisory, VDB Entry
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:0872	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:0873	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:3454	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:3455	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:3456	Vendor Advisory
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2017:3458	Vendor Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1404782	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-0830.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-0831.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-0832.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-0834.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2017-0876.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/97060	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:0872	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:0873	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:3454	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:3455	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:3456	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2017:3458	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1404782	Issue Tracking

Impacted products

	Vendor	Product	Version
	redhat	jboss_wildfly_application_server	*
	redhat	jboss_wildfly_application_server	11.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_wildfly_application_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFA3794D-ABF9-435A-9F91-6491F436CAC9",
              "versionEndIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_wildfly_application_server:11.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "6D328974-0F84-4D35-B2E4-0E766AC40E71",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to \"max-headers\" (default 200) * \"max-header-size\" (default 1MB) per active TCP connection."
    },
    {
      "lang": "es",
      "value": "Undertow en Red Hat wildfly, en versiones anteriores a la 11.0.0.Beta1, es vulnerable a un agotamiento de recursos, lo cual resulta en una denegaci\u00f3n de servicio (DoS). Undertow mantiene una cach\u00e9 de las cabeceras HTTP vistas en conexiones persistentes. Se ha descubierto que esta cach\u00e9 puede ser explotada f\u00e1cilmente para llenar la memoria con elementos no utilizados, hasta \"max-headers\" (200 por defecto) * \"max-header-size\" (1MB por defecto) por conexi\u00f3n TCP activa."
    }
  ],
  "id": "CVE-2016-9589",
  "lastModified": "2024-11-21T03:01:27.900",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-03-12T15:29:00.273",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97060"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:0872"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:0873"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3454"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3455"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3456"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3458"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0830.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0831.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0832.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0834.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0876.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97060"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:0872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:0873"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3454"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3455"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3456"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2017:3458"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404782"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-9589 (GCVE-0-2016-9589)

CNVD-2017-05279

GSD-2016-9589

GHSA-P4XG-CPR9-VWVJ

FKIE_CVE-2016-9589

Tags

Sightings

Nomenclature