CVE-2022-1319: A Flaw in Undertow Leads to Improper Response Packet Handling in JBoss EAP 7 AJP 400

A vulnerability has been discovered in Undertow, a popular Java-based web server programming library used in various applications, including Red Hat's JBoss EAP 7 (Enterprise Application Platform). The flaw, given the identifier CVE-2022-1319, affects the handling of response packets when utilizing the AJP (Apache JServ Protocol) connector during communication between the web server and the application server.

In a specific scenario involving a 400 response, JBoss EAP 7 sends two response packets with the reuse flag set, even though the connection is closed by the apprunning on top of EAP. This can lead to unexpected behavior and potential failure when connection reuse occurs after a 400 error due to CPING/CPONG communication, further exacerbating the issue.

This post will explore the details of the vulnerability, related code snippets, and implications for affected systems. We will also provide links to the original references for further information.

Exploit Details

The vulnerability revolves around JBoss EAP 7's handling of AJP 400 responses. The following sequence of events highlights the improper packet handling:

a. The first SEND_HEADERS response packet with the reuse flag set.

b. The second SEND_HEADERS response packet, also with the reuse flag set, even though the connection should be closed.

The web server sends a CPING packet to determine if the connection is still healthy for reuse.

6. Instead of reading a CPONG response, the server reads the second SEND_HEADERS response packet from step 3b.
7. This causes a failure in the connection reuse mechanism, leading to potential issues or downtime for the application server.

Below is a code snippet that illustrates the improper response packet handling in the affected Undertow version:

...
if (responseCode == 400) {
    AjpResponsePacket responsePacket1 = new AjpResponsePacket();
    responsePacket1.setReuse(true); // incorrect flag set
    responsePacket1.sendHeaders();
    
    AjpResponsePacket responsePacket2 = new AjpResponsePacket();
    responsePacket2.setReuse(true); // incorrect flag set
    responsePacket2.sendHeaders();
}
...

The correct behavior should involve closing the connection and not setting the reuse flag in the second response packet:

...
if (responseCode == 400) {
    AjpResponsePacket responsePacket1 = new AjpResponsePacket();
    responsePacket1.setReuse(true); // correct flag set
    responsePacket1.sendHeaders();
    
    AjpResponsePacket responsePacket2 = new AjpResponsePacket();
    responsePacket2.setReuse(false); // connection should be closed
    responsePacket2.sendHeaders();
}
...

Original References

The CVE-2022-1319 vulnerability was first disclosed by the JBoss team, and detailed information about the issue can be found through the following links:

- Undertow GitHub Repository
- Red Hat CVE-2022-1319 Security Advisory
- JBoss EAP 7 Documentation

Conclusion

The CVE-2022-1319 vulnerability is an important reminder of how even minor discrepancies in response packet handling can lead to unexpected behavior and potential issues in application servers employing the Undertow library. Organizations that utilize JBoss EAP 7 and the AJP connector should apply relevant patches to mitigate any potential risks associated with the flaw.

Timeline

Published on: 08/31/2022 16:15:00 UTC
Last modified on: 11/07/2022 19:09:00 UTC