A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.
The product does not release or incorrectly releases a resource before it is made available for re-use.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jboss-remoting | Redhat | * | 5.0.14 (excluding) |
| Jboss-remoting | Redhat | 5.0.14 (including) | 5.0.14 (including) |
| Jboss_enterprise_application_platform | Redhat | * | 7.2.4 (excluding) |
| Undertow | Redhat | * | 2.0.25 (excluding) |
| Undertow | Redhat | 2.0.25 (including) | 2.0.25 (including) |
| Red Hat Fuse 7.8.0 | RedHat | undertow | * |
| Red Hat JBoss EAP 7.2 | RedHat | * | |
| Red Hat JBoss Enterprise Application Platform Continuous Delivery | RedHat | undertow | * |
| Undertow | Ubuntu | bionic | * |
| Undertow | Ubuntu | disco | * |
| Undertow | Ubuntu | eoan | * |
| Undertow | Ubuntu | groovy | * |
| Undertow | Ubuntu | hirsute | * |
| Undertow | Ubuntu | impish | * |
| Undertow | Ubuntu | kinetic | * |
| Undertow | Ubuntu | trusty | * |
| Undertow | Ubuntu | xenial | * |