New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test(deps): update dependency io.undertow:undertow-core to v2.3.14.final [security] #377

Open

renovate-bot wants to merge 1 commit into googleapis:main from renovate-bot:renovate/maven-io.undertow-undertow-core-vulnerability

Contributor

renovate-bot commented Apr 15, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.undertow:undertow-core (source)	`2.2.24.Final` -> `2.3.14.Final`

GitHub Vulnerability Alerts

CVE-2024-1459

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

CVE-2024-6162

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

CVE-2024-1635

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available.

At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

`v2.3.14.Final`

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.3.14.Final

Sub-task

[UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

[UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
[UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
[UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
[UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
[UNDERTOW-2385] - Memory leak in ThreadLocalCache
[UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
[UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
[UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
[UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

[UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final

Enhancement

[UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable

`v2.3.13.Final`

`v2.3.12.Final`

`v2.3.11.Final`

`v2.3.10.Final`

`v2.3.9.Final`

`v2.3.8.Final`

`v2.3.7.Final`

`v2.3.6.Final`

`v2.3.5.Final`

`v2.3.4.Final`

`v2.3.3.Final`

`v2.3.2.Final`

`v2.3.1.Final`

`v2.3.0.Final`

`v2.2.35.Final`: v.2.2.35.Final

Release Notes - Undertow - Version 2.2.35.Final

Bug

[UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
[UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
[UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
[UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
[UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer

`v2.2.34.Final`

Includes CVES: CVE-2024-3653 CVE-2024-5971

    Release Notes - Undertow - Version 2.2.34.Final

Bug

[UNDERTOW-2033] - secure predicate unreliable with HTTP/2
[UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
[UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
[UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
[UNDERTOW-2397] - Handle Huffman encoding properly
[UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
[UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Documentation

[UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent

Enhancement

[UNDERTOW-2386] - Update ci.yml link to git docs
[UNDERTOW-2398] - Tweak workflow to allow manual re-runs

`v2.2.33.Final`

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.2.33.Final

Sub-task

[UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

[UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
[UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
[UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
[UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
[UNDERTOW-2385] - Memory leak in ThreadLocalCache
[UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
[UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
[UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
[UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

[UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
[UNDERTOW-2406] - Upgrade XNIO from 3.8.8.Final to 3.8.15.Final

Enhancement

[UNDERTOW-2291] - Shush the javadoc plugin
[UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable
[UNDERTOW-2415] - Disable JDK8 CI tests for Mac OS

`v2.2.32.Final`

`v2.2.31.Final`

`v2.2.30.Final`

`v2.2.29.Final`

`v2.2.28.Final`

`v2.2.27.Final`

`v2.2.26.Final`

`v2.2.25.Final`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot requested review from a team as code owners

April 15, 2024 21:18

renovate-bot requested a review from gkevinzheng

April 15, 2024 21:18

trusted-contributions-gcf bot added the kokoro:force-run label

product-auto-label bot added the size: xs label

trusted-contributions-gcf bot added the owlbot:run label

product-auto-label bot added the api: logging label

gcf-owl-bot bot removed the owlbot:run label

blunderbuss-gcf bot assigned cindy-peng

yoshi-kokoro removed the kokoro:force-run label

product-auto-label bot added the stale: old label

product-auto-label bot added stale: extraold and removed stale: old labels


          test(deps): update dependency io.undertow:undertow-core to v2.3.14.fi…

99adfdb

…nal [security]

renovate-bot force-pushed the renovate/maven-io.undertow-undertow-core-vulnerability branch from 8ac2be3 to 99adfdb Compare

June 20, 2024 20:01

renovate-bot changed the title ~~test(deps): update dependency io.undertow:undertow-core to v2.2.31.final [security]~~ test(deps): update dependency io.undertow:undertow-core to v2.3.14.final [security]

trusted-contributions-gcf bot added kokoro:force-run owlbot:run labels

gcf-owl-bot bot removed the owlbot:run label

yoshi-kokoro removed the kokoro:force-run label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: logging size: xs stale: extraold