Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.3.14.Final, 2.2.33.Final
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1532, https://github.com/undertow-io/undertow/pull/1610

1. In very unlikely scenario, value of cached resource length might differ between time content length header is set - DefaultServlet.java#L322 and write time:

CachedResource.java#L144
CachedResource.java#L163
2. TTL = 0 does not mean cache entries are never created, it means they will live 1ms, which could cause above - DirectBufferCache.java#L240 vs DirectBufferCache.java#L100 (this can give false read out in #1)
3. Both #1 and #2 can be pronounced by exhaustion of FS, when user somehow abuse(testsuite with start/stop/reloads) or OS cant provide change listener - CachingResourceManager.java#L73/.

NOTE: this needs assessment as well - ServletPathMatches.java#L111

blocks

JBEAP-25938 (7.4.z) UNDERTOW-2332 - Requesting deployment overlay may results in ConnectionClosedException

Verified

causes

JBEAP-25832 (8.0.z) UNDERTOW-2332 - Requesting deployment overlay may results in ConnectionClosedException

Closed

is incorporated by

WFCORE-6862 CVE-2024-6162 CVE-2024-27316 Upgrade Undertow to 2.3.14.Final

Resolved

Assignee:: Bartosz Baranowski

Reporter:: Bartosz Baranowski

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/10/25 9:47 AM

Updated:: 2024/07/16 3:22 PM

Resolved:: 2024/06/10 9:46 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates