CVE Vulnerabilities

CVE-2020-14340

Uncontrolled Resource Consumption

Published: Jun 02, 2021 | Modified: Nov 21, 2024
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Xnio Redhat 3.6.1 (including) 3.7.9 (excluding)
Xnio Redhat 3.8.0 (including) 3.8.2 (excluding)
Xnio Redhat 3.6.0-beta1 (including) 3.6.0-beta1 (including)
Xnio Redhat 3.6.0-beta2 (including) 3.6.0-beta2 (including)
EAP 7.3.3 RedHat xnio *
Red Hat Fuse 7.9 RedHat xnio *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-activemq-artemis-0:2.9.0-5.redhat_00011.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-activemq-artemis-native-1:1.0.2-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-apache-commons-codec-0:1.14.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-apache-commons-lang-0:3.10.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-apache-cxf-0:3.3.7-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-artemis-native-1:1.0.2-3.redhat_1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-bouncycastle-0:1.65.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-glassfish-jsf-0:2.3.9-11.SP12_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-hal-console-0:3.2.10-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-hibernate-0:5.3.18-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-httpcomponents-client-0:4.5.12-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-httpcomponents-core-0:4.4.13-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jberet-0:1.3.7-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-invocation-0:1.5.3-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-logmanager-0:2.1.17-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-server-migration-0:1.7.2-2.Final_redhat_00002.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-xnio-base-0:3.7.9-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jgroups-0:4.1.10-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-narayana-0:5.9.9-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-picketbox-0:5.0.3-8.Final_redhat_00007.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-picketlink-bindings-0:2.5.5-25.SP12_redhat_00013.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-snakeyaml-0:1.26.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-undertow-0:2.0.31-1.SP1_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-velocity-0:2.2.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-0:7.3.3-4.GA_redhat_00004.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-elytron-0:1.10.8-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-transaction-client-0:1.1.13-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-ws-commons-XmlSchema-0:2.2.5-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-xerces-j2-0:2.12.0-2.SP03_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-activemq-artemis-0:2.9.0-5.redhat_00011.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-activemq-artemis-native-1:1.0.2-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-apache-commons-codec-0:1.14.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-apache-commons-lang-0:3.10.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-apache-cxf-0:3.3.7-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-artemis-native-1:1.0.2-3.redhat_1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-bouncycastle-0:1.65.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-glassfish-jsf-0:2.3.9-11.SP12_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-hal-console-0:3.2.10-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-hibernate-0:5.3.18-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-httpcomponents-client-0:4.5.12-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-httpcomponents-core-0:4.4.13-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jberet-0:1.3.7-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-invocation-0:1.5.3-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-logmanager-0:2.1.17-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-server-migration-0:1.7.2-2.Final_redhat_00002.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-xnio-base-0:3.7.9-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jgroups-0:4.1.10-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-narayana-0:5.9.9-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-picketbox-0:5.0.3-8.Final_redhat_00007.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-picketlink-bindings-0:2.5.5-25.SP12_redhat_00013.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-snakeyaml-0:1.26.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-undertow-0:2.0.31-1.SP1_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-velocity-0:2.2.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-0:7.3.3-4.GA_redhat_00004.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-elytron-0:1.10.8-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-transaction-client-0:1.1.13-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-ws-commons-XmlSchema-0:2.2.5-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-xerces-j2-0:2.12.0-2.SP03_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-activemq-artemis-0:2.9.0-5.redhat_00011.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-activemq-artemis-native-1:1.0.2-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-apache-commons-codec-0:1.14.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-apache-commons-lang-0:3.10.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-apache-cxf-0:3.3.7-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-artemis-native-1:1.0.2-3.redhat_1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-bouncycastle-0:1.65.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-glassfish-jsf-0:2.3.9-11.SP12_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-hal-console-0:3.2.10-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-hibernate-0:5.3.18-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-httpcomponents-client-0:4.5.12-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-httpcomponents-core-0:4.4.13-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jberet-0:1.3.7-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-invocation-0:1.5.3-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-logmanager-0:2.1.17-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-server-migration-0:1.7.2-2.Final_redhat_00002.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-xnio-base-0:3.7.9-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jgroups-0:4.1.10-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-narayana-0:5.9.9-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-picketbox-0:5.0.3-8.Final_redhat_00007.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-picketlink-bindings-0:2.5.5-25.SP12_redhat_00013.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-snakeyaml-0:1.26.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-undertow-0:2.0.31-1.SP1_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-velocity-0:2.2.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-0:7.3.3-4.GA_redhat_00004.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-elytron-0:1.10.8-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-transaction-client-0:1.1.13-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-ws-commons-XmlSchema-0:2.2.5-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-xerces-j2-0:2.12.0-2.SP03_redhat_00001.1.el8eap *
Red Hat Single Sign-On 7.4.3 RedHat xnio *
Text-Only RHOAR RedHat *
Jboss-xnio Ubuntu bionic *
Jboss-xnio Ubuntu focal *
Jboss-xnio Ubuntu groovy *
Jboss-xnio Ubuntu trusty *
Jboss-xnio Ubuntu xenial *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References