CVE-2020-35510

A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905796

Affected packages

Git / github.com/jboss-remoting/jboss-remoting

Affected ranges

Type

GIT

Repo

https://github.com/jboss-remoting/jboss-remoting

Events

Introduced

Fixed

7ddcda3c0180b17059b9991305e9c8f410710fb0

Introduced

Last affected

7ddcda3c0180b17059b9991305e9c8f410710fb0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.0.20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.0.20-NA"
        }
    ]
}

Affected versions

3.*

3.1.0.Beta2

3.2.0.Beta1

3.2.0.Beta2

3.2.0.Beta3

3.2.0.Beta4

3.2.0.Beta5

3.2.0.Beta6

3.2.0.CR1

3.2.0.CR2

3.2.0.CR3

3.2.0.CR4

3.2.0.CR5

3.2.0.CR6

3.2.0.CR7

3.2.0.CR8

3.2.0.CR9

3.2.0.GA

4.*

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.Final

5.*

5.0.0.Beta1

5.0.0.Beta10

5.0.0.Beta11

5.0.0.Beta12

5.0.0.Beta13

5.0.0.Beta14

5.0.0.Beta15

5.0.0.Beta16

5.0.0.Beta17

5.0.0.Beta18

5.0.0.Beta19

5.0.0.Beta2

5.0.0.Beta20

5.0.0.Beta21

5.0.0.Beta22

5.0.0.Beta23

5.0.0.Beta24

5.0.0.Beta25

5.0.0.Beta3

5.0.0.Beta4

5.0.0.Beta5

5.0.0.Beta6

5.0.0.Beta7

5.0.0.Beta8

5.0.0.Beta9

5.0.0.CR1

5.0.0.CR2

5.0.0.CR3

5.0.0.CR4

5.0.0.CR5

5.0.0.Final

5.0.1.Final

5.0.2.Final

5.0.20.Final

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35510.json"