[UNDERTOW-2048] CVE-2022-2764 UndertowInputStream.close() blocks waiting to read= -1

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.3.0.Final, 2.2.21.Final, 2.2.20.SP1
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d, https://github.com/undertow-io/undertow/pull/1382, https://github.com/undertow-io/undertow/pull/1386

This can cause the following stack trace in certain cenarios:

"default task-6" #167 prio=5 os_prio=0 cpu=129039.92ms elapsed=7555.11s tid=0x000000000af4b000 nid=0x4a9d runnable  [0x00007fe91f2b2000]
   java.lang.Thread.State: RUNNABLE
        at sun.nio.ch.EPoll.wait(java.base@11.0.1/Native Method)
        at sun.nio.ch.EPollSelectorImpl.doSelect(java.base@11.0.1/EPollSelectorImpl.java:120)
        at sun.nio.ch.SelectorImpl.lockAndDoSelect(java.base@11.0.1/SelectorImpl.java:124)
        - locked <0x00000000d1e9e3b0> (a sun.nio.ch.Util$2)
        - locked <0x00000000d1e9e150> (a sun.nio.ch.EPollSelectorImpl)
        at sun.nio.ch.SelectorImpl.select(java.base@11.0.1/SelectorImpl.java:141)
        at org.xnio.nio.SelectorUtils.await(SelectorUtils.java:51)
        at org.xnio.nio.NioSocketConduit.awaitReadable(NioSocketConduit.java:358)
        at org.xnio.conduits.AbstractSourceConduit.awaitReadable(AbstractSourceConduit.java:66)
        at io.undertow.conduits.ReadDataStreamSourceConduit.awaitReadable(ReadDataStreamSourceConduit.java:101)
        at org.xnio.conduits.AbstractSourceConduit.awaitReadable(AbstractSourceConduit.java:66)
        at org.xnio.conduits.ConduitStreamSourceChannel.awaitReadable(ConduitStreamSourceChannel.java:151)
        at io.undertow.channels.DetachableStreamSourceChannel.awaitReadable(DetachableStreamSourceChannel.java:77)
        at io.undertow.server.HttpServerExchange$ReadDispatchChannel.awaitReadable(HttpServerExchange.java:2218)
        at org.xnio.channels.Channels.readBlocking(Channels.java:295)
        at io.undertow.io.UndertowInputStream.readIntoBuffer(UndertowInputStream.java:109)
        at io.undertow.io.UndertowInputStream.close(UndertowInputStream.java:160)
        at org.wildfly.httpclient.ejb.HttpInvocationHandler$1.getRequestContent(HttpInvocationHandler.java:231)
        at org.jboss.as.ejb3.remote.AssociationImpl.receiveInvocationRequest(AssociationImpl.java:139)
        at org.wildfly.httpclient.ejb.HttpInvocationHandler.lambda$handleInternal$0(HttpInvocationHandler.java:152)
        at org.wildfly.httpclient.ejb.HttpInvocationHandler$$Lambda$973/0x0000000100ed0c40.run(Unknown Source)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
        at java.lang.Thread.run(java.base@11.0.1/Thread.java:834)

is incorporated by

UNDERTOW-2507 Get 2.0.41.SP branch in good shape

Resolved

WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

Closed

links to

CVE-2022-2764

Flavia Rainone created issue - 2022/03/25 6:24 AM

Flavia Rainone made changes - 2022/03/25 6:24 AM

Status

Original: Open [ 1 ]

New: Coding In Progress [ 3 ]

Flavia Rainone made changes - 2022/03/25 6:28 AM

Involved

New: Flavia Rainone, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won [ flavia.rainone, paramjindal, ropalka, maeste, rhn-support-jwon ]

Flavia Rainone made changes - 2022/03/29 5:25 AM

Link

New: This issue follows up on EAPSUP-720 [ EAPSUP-720 ]

Flavia Rainone made changes - 2022/03/29 7:24 AM

Link

New: This issue relates to WEJBHTTP-71 [ WEJBHTTP-71 ]

Flavia Rainone made changes - 2022/03/29 7:25 AM

Link

New: This issue relates to WEJBHTTP-72 [ WEJBHTTP-72 ]

Flavia Rainone made changes - 2022/04/25 11:06 AM

Fix Version/s

New: 2.2.19.Final [ 12385362 ]

Flavia Rainone made changes - 2022/06/01 2:04 PM

Involved

Original: Flavia Rainone, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won [ flavia.rainone, paramjindal, ropalka, maeste, rhn-support-jwon ]

New: Flavia Rainone, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, paramjindal, ropalka, maeste, rhn-support-jwon, thofman ]

Flavia Rainone made changes - 2022/06/01 2:07 PM

Fix Version/s

New: 2.3.0.Final [ 12384184 ]

Flavia Rainone made changes - 2022/06/16 1:32 PM

Involved

Original: Flavia Rainone, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, paramjindal, ropalka, maeste, rhn-support-jwon, thofman ]

New: Flavia Rainone, Jason Lee, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, paramjindal, ropalka, maeste, rhn-support-jwon, thofman ]

Flavia Rainone made changes - 2022/08/11 7:11 AM

Fix Version/s		New: 2.2.20.Final [ 12392870 ]
Fix Version/s	Original: 2.2.19.Final [ 12385362 ]

Darran Lofthouse made changes - 2022/08/15 11:03 AM

Involved

Original: Flavia Rainone, Jason Lee, Paramvir Jindal, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, paramjindal, ropalka, maeste, rhn-support-jwon, thofman ]

New: Flavia Rainone, Jason Lee, Paramvir Jindal, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, paramjindal, rstancel, ropalka, maeste, rhn-support-jwon, thofman ]

Radovan Stancel made changes - 2022/08/16 10:50 AM

Involved

Original: Flavia Rainone, Jason Lee, Paramvir Jindal, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, paramjindal, rstancel, ropalka, maeste, rhn-support-jwon, thofman ]

New: Flavia Rainone, Jason Lee, Moulali Shikalwadi, Paramvir Jindal, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, mshikalw, paramjindal, rstancel, ropalka, maeste, rhn-support-jwon, thofman ]

Flavia Rainone made changes - 2022/08/16 1:12 PM

Link

New: This issue causes JBEAP-23902 [ JBEAP-23902 ]

Flavia Rainone made changes - 2022/08/16 1:44 PM

Summary

Original: UndertowInputStream.close() blocks waiting to read -1

New: CVE-2022-2764 UndertowInputStream.close() blocks waiting to read= -1

Flavia Rainone made changes - 2022/08/16 1:44 PM

Involved

Original: Flavia Rainone, Jason Lee, Moulali Shikalwadi, Paramvir Jindal, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman [ flavia.rainone, jaslee, mshikalw, paramjindal, rstancel, ropalka, maeste, rhn-support-jwon, thofman ]

New: Alessio Soldano, Bartosz Baranowski, Brad Maxwell, Brian Stansberry, Carlo de Wolf, Chess Hazlett, Daniel Kreling, Darran Lofthouse, Farah Juma, Flavia Rainone, Ingo Weiss, Jason Lee, Jonathan Christison, Kunjan Rathod, Lin Gao, Martin Svehla, Michaela Osmerova, Miroslav Sochurek, Moulali Shikalwadi, Neil Wallace, Paramvir Jindal, Peter Mackay, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman, Tom Jenkinson, Vladimir Dosoudil [ asoldano, baranowb, bmaxwell, brian.stansberry, wolfc, chazlett, dkreling, dlofthouse, fjuma, flavia.rainone, iweiss, jaslee, jonnychristison, krathod, gaol, msvehla, JIRAUSER173624, msochure, mshikalw, nwallace, paramjindal, pmackay, rstancel, ropalka, maeste, rhn-support-jwon, thofman, tomjenkinson, dosoudil ]

Paramvir Jindal made changes - 2022/08/30 5:37 AM

Involved

Original: Alessio Soldano, Bartosz Baranowski, Brad Maxwell, Brian Stansberry, Carlo de Wolf, Chess Hazlett, Daniel Kreling, Darran Lofthouse, Farah Juma, Flavia Rainone, Ingo Weiss, Jason Lee, Jonathan Christison, Kunjan Rathod, Lin Gao, Martin Svehla, Michaela Osmerova, Miroslav Sochurek, Moulali Shikalwadi, Neil Wallace, Paramvir Jindal, Peter Mackay, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman, Tom Jenkinson, Vladimir Dosoudil [ asoldano, baranowb, bmaxwell, brian.stansberry, wolfc, chazlett, dkreling, dlofthouse, fjuma, flavia.rainone, iweiss, jaslee, jonnychristison, krathod, gaol, msvehla, JIRAUSER173624, msochure, mshikalw, nwallace, paramjindal, pmackay, rstancel, ropalka, maeste, rhn-support-jwon, thofman, tomjenkinson, dosoudil ]

New: Alessio Soldano, Bartosz Baranowski, Brad Maxwell, Brian Stansberry, Carlo de Wolf, Chess Hazlett, Daniel Kreling, Darran Lofthouse, Farah Juma, Flavia Rainone, Ingo Weiss, Jason Lee, Jonathan Christison, Kunjan Rathod, Lin Gao, Martin Svehla, Michaela Osmerova, Miroslav Sochurek, Moulali Shikalwadi, Neil Wallace, Paramvir Jindal, Peter Mackay, Peter Palaga, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman, Tom Jenkinson, Vladimir Dosoudil [ asoldano, baranowb, bmaxwell, brian.stansberry, wolfc, chazlett, dkreling, dlofthouse, fjuma, flavia.rainone, iweiss, jaslee, jonnychristison, krathod, gaol, msvehla, JIRAUSER173624, msochure, mshikalw, nwallace, paramjindal, pmackay, ppalaga, rstancel, ropalka, maeste, rhn-support-jwon, thofman, tomjenkinson, dosoudil ]

Amol Dongare made changes - 2022/09/09 7:16 AM

Link

Original: This issue follows up on EAPSUP-720 [ EAPSUP-720 ]

Amol Dongare made changes - 2022/09/09 7:16 AM

Link

New: This issue relates to EAPSUP-720 [ EAPSUP-720 ]

Flavia Rainone made changes - 2022/10/08 12:11 AM

Fix Version/s		New: 2.2.20.SP1 [ 12397538 ]
Fix Version/s		New: 2.2.21.Final [ 12397537 ]
Fix Version/s	Original: 2.2.20.Final [ 12392870 ]

Flavia Rainone made changes - 2022/10/10 3:54 AM

Git Pull Request		New: https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d
Status	Original: Coding In Progress [ 3 ]	New: Pull Request Sent [ 10011 ]

Flavia Rainone made changes - 2022/10/10 3:54 AM

Resolution		New: Done [ 1 ]
Status	Original: Pull Request Sent [ 10011 ]	New: Resolved [ 5 ]

Flavia Rainone made changes - 2022/10/10 2:41 PM

Security

Original: Security Issue [ 10292 ]

Flavia Rainone made changes - 2022/10/10 2:43 PM

Labels

New: needs-backport

Flavia Rainone made changes - 2022/10/10 2:44 PM

Git Pull Request

Original: https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d

New: https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d, https://github.com/undertow-io/undertow/pull/1382

Flavia Rainone made changes - 2022/10/10 6:12 PM

Remote Link

New: This issue links to "CVE-2022-2764 (Web Link)" [ 1023905 ]

Richard Opalka made changes - 2022/10/12 6:06 AM

Git Pull Request

Original: https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d, https://github.com/undertow-io/undertow/pull/1382

New: https://gitlab.cee.redhat.com/frainone/undertow/-/commit/c20f12a6bbe5879dac8cbadeda4c542f26b9904d, https://github.com/undertow-io/undertow/pull/1382, https://github.com/undertow-io/undertow/pull/1386

Richard Opalka made changes - 2022/10/12 6:07 AM

Labels

Original: needs-backport

Richard Opalka made changes - 2022/10/12 6:07 AM

Labels

New: needs-backport

Flavia Rainone made changes - 2022/10/12 9:10 AM

Link

New: This issue is incorporated by ~~WFCORE-6057~~ [ ~~WFCORE-6057~~ ]

Flavia Rainone made changes - 2022/10/12 3:07 PM

Labels

Original: needs-backport

Flavia Rainone made changes - 2022/12/09 11:24 AM

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

Flavia Rainone made changes - 2024/10/11 7:50 AM

Link

New: This issue is incorporated by ~~UNDERTOW-2507~~ [ ~~UNDERTOW-2507~~ ]

Assignee:: Flavia Rainone

Reporter:: Flavia Rainone

Involved:: Alessio Soldano, (29)
Bartosz Baranowski, Brad Maxwell, Brian Stansberry, Carlo de Wolf, Chess Hazlett, Daniel Kreling, Darran Lofthouse, Farah Juma, Flavia Rainone, Ingo Weiss, Jason Lee, Jonathan Christison, Kunjan Rathod (Inactive), Lin Gao, Martin Svehla, Michaela Osmerova, Miroslav Sochurek, Moulali Shikalwadi, Neil Wallace, Paramvir Jindal, Peter Mackay, Peter Palaga, Radovan Stancel, Richard Opalka, Stefano Maestri, Ted Won, Tomas Hofman, Tom Jenkinson, Vladimir Dosoudil

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/03/25 6:24 AM

Updated:: 2024/10/11 7:50 AM

Resolved:: 2022/10/10 3:54 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates