Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2511

CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse

XMLWordPrintable

      Undertow might incorrectly re-use an HTTP request header value from a previous stream for a request associated with a subsequent stream on the same HTTP/2 connection. The issue is linked to the readHpackString method and its interaction with the stringBuilder field. While such behavior typically results in an error followed by the termination of the HTTP/2 connection, it presents a potential vector for information leakage between requests.

      There is a similar issue in Apache Tomcat (CVE-2020-17527). In the patch for that vulnerability (https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb) a StringBuilder field was improperly reused across multiple requests, leading to this issue. In the io.undertow.protocols.http2.HpackDecoder class of Undertow, within the readHpackString method, there is a code pattern identical to the one mentioned:

      ```
      for (int i = 0; i < length; ++i)

      { stringBuilder.append((char) buffer.get()); }

      String ret = stringBuilder.toString();
      stringBuilder.setLength(0);
      if (ret.isEmpty())

      { //return the interned empty string, rather than allocating a new one each time return ""; }

      ```

              flaviarnn Flavia Rainone
              flaviarnn Flavia Rainone
              Bartosz Baranowski, Brad Maxwell, Brian Stansberry, Carlo de Wolf, Darran Lofthouse, Flavia Rainone, Ilia Vassilev, Jason Lee, Lin Gao, Stefano Maestri, Tom Jenkinson, Yeray Borges Santana
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: