#VU11069 Resource exhaustion in Wildfly - CVE-2016-9589

Cybersecurity Help s.r.o.

Published: 2018-03-14

Vulnerability identifier: #VU11069

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9589

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Wildfly
Server applications / Frameworks for developing and running applications

Vendor: Red Hat Inc.

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Undertow component due to improper resource management. A remote attacker can use a cache of seen HTTP headers that is kept in persistent connections, send a specially crafted input, consume excessive amounts of memory resources and cause the service to crash.

Mitigation
Update to version 11.0.0.Beta1 or later.

Vulnerable software versions

Wildfly: 8.2.0 - 10.1.0

External links
https://issues.jboss.org/browse/WFLY-7725

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat JBoss Enterprise Application Platform 7 update for eap7-jboss-ec2-eap

Denial of service in Red Hat WildFly