OESA-2024-2579
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2579
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2024-2579.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2024-2579
- Upstream
- Published
- 2024-12-20T13:08:01Z
- Modified
- 2025-09-03T06:20:25.528247Z
- Summary
- undertow security update
- Details
-
Java web server using non-blocking IO
Security Fix(es):
Description: Product Security received a report that Undertow might incorrectly re-use an HTTP request header value from a previous stream for a request associated with a subsequent stream on the same HTTP/2 connection. The issue is linked to the readHpackString method and its interaction with the stringBuilder field. While such behavior typically results in an error followed by the termination of the HTTP/2 connection, it presents a potential vector for information leakage between requests. The original reporter referenced a similar issue in Apache Tomcat (CVE-2020-17527). In the patch for that vulnerability (https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb) a StringBuilder field was improperly reused across multiple requests, leading to this issue. In the io.undertow.protocols.http2.HpackDecoder class of Undertow, within the readHpackString method, there is a code pattern identical to the one mentioned:
for (int i = 0; i < length; ++i) { stringBuilder.append((char) buffer.get()); } String ret = stringBuilder.toString(); stringBuilder.setLength(0); if (ret.isEmpty()) { //return the interned empty string, rather than allocating a new one each time return ""; }Steps to reproduce: No reproducers or PoC were provided, this issue was identified through static testing. Affected versions: 2.2.x, 2.3.x, and 3.x(CVE-2024-4109) - Database specific
{ "severity": "High" }- References