OESA-2024-2353

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2353
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-2353.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-2353
Upstream
Published
2024-11-08T15:07:35Z
Modified
2025-08-12T05:35:14.219354Z
Summary
undertow security update
Details

Java web server using non-blocking IO

Security Fix(es):

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.(CVE-2021-3690)

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by modcluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because modproxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).(CVE-2023-5379)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-7.oe2203sp4

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-7.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-7.oe2203sp4.noarch.rpm",
        "undertow-javadoc-1.4.0-7.oe2203sp4.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP3 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-7.oe2203sp3

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-7.oe2203sp3.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-7.oe2203sp3.noarch.rpm",
        "undertow-javadoc-1.4.0-7.oe2203sp3.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP4 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-7.oe2003sp4

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-7.oe2003sp4.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-7.oe2003sp4.noarch.rpm",
        "undertow-javadoc-1.4.0-7.oe2003sp4.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-7.oe2203sp1

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-7.oe2203sp1.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-7.oe2203sp1.noarch.rpm",
        "undertow-javadoc-1.4.0-7.oe2203sp1.noarch.rpm"
    ]
}

openEuler:24.03-LTS / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-8.oe2403

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-8.oe2403.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-8.oe2403.noarch.rpm",
        "undertow-javadoc-1.4.0-8.oe2403.noarch.rpm"
    ]
}